Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Debian LTS: Security Advisory for waitress (DLA-3000-1)

Information

Severity

Severity

Medium

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

6.4

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Solution Type

Solution Type

Vendor Patch

Created

Created

3 months ago

Modified

Modified

2 months ago

Summary

The remote host is missing an update for the 'waitress' package(s) announced via the DLA-3000-1 advisory.

Insight

Insight

Waitress is a Python WSGI server, an application server for Python web apps. Security updates to fix request smuggling bugs, when combined with another http proxy that interprets requests differently. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This can result in cache poisoning or unexpected information disclosure. CVE-2019-16785 Only recognise CRLF as a line-terminator, not a plain LF. Before this change waitress could see two requests where the front-end proxy only saw one. CVE-2019-16786 Waitress would parse the Transfer-Encoding header and only look for a single string value, if that value was not 'chunked' it would fall through and use the Content-Length header instead. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. CVE-2019-16789 Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. CVE-2019-16792 If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. CVE-2022-24761 There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: 1. The use of Python's int() to parse strings into integers, leading to +10 to be parsed as 10, or 0x01 to be parsed as 1, where as the standard specifies that the string should contain only digits or hex digits. 2. Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters.

Affected Software

Affected Software

'waitress' package(s) on Debian Linux.

Detection Method

Detection Method

Checks if a vulnerable package version is present on the target host.

Solution

Solution

For Debian 9 stretch, these problems have been fixed in version 1.0.1-1+deb9u1. We recommend that you upgrade your waitress packages.

Common Vulnerabilities and Exposures (CVE)