{ "threat_severity" : "Important", "public_date" : "2019-12-20T00:00:00Z", "bugzilla" : { "description" : "waitress: HTTP request smuggling through LF vs CRLF handling", "id" : "1791420", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1791420" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-444", "details" : [ "Waitress through version 1.3.1 implemented a \"MAY\" part of the RFC7230 which states: \"Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.\" Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This issue is fixed in Waitress 1.4.0.", "An HTTP-request vulnerability was discovered in Waitress which implemented a \"MAY\" part of the RFC7230 which states: \"Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.\" Unfortunately, if a front-end server does not process header fields with an LF the same way as it processes those with a CRLF, it can lead to the front-end and the back-end server processing the same HTTP message in two different ways. This vulnerability can lead to a potential for HTTP request smuggling and splitting where Waitress may see two requests, while the front-end server only sees a single HTTP message." ], "statement" : "All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low.\nIn Red Hat OpenStack Platform 13, because the flawed code is not used and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package.", "affected_release" : [ { "product_name" : "Red Hat OpenStack Platform 15.0 (Stein)", "release_date" : "2020-03-05T00:00:00Z", "advisory" : "RHSA-2020:0720", "cpe" : "cpe:/a:redhat:openstack:15::el8", "package" : "python-waitress-0:1.4.2-1.el8ost", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/clair-rhel8:v3.4.0-25", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-bridge-operator-bundle:v3.4.0-3", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-bridge-operator-rhel8:v3.4.0-17", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-builder-qemu-rhcos-rhel8:v3.4.0-17", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-builder-rhel8:v3.4.0-18", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-container-security-operator-bundle:v3.4.0-2", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-container-security-operator-rhel8:v3.4.0-2", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-openshift-bridge-rhel8-operator:v3.4.0-17", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-operator-bundle:v3.4.0-89", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-operator-rhel8:v3.4.0-132", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-rhel8:v3.4.0-51", "impact" : "low" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Fix deferred", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:ceph_storage:3", "impact" : "low" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Fix deferred", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:ceph_storage:4", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 16 (Train)", "fix_state" : "Affected", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:openstack:16", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-16785\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16785\nhttps://docs.pylonsproject.org/projects/waitress/en/latest/#id6" ], "name" : "CVE-2019-16785", "csaw" : false }