{ "threat_severity" : "Important", "public_date" : "2019-12-20T00:00:00Z", "bugzilla" : { "description" : "waitress: HTTP request smuggling through invalid Transfer-Encoding", "id" : "1791415", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1791415" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-444", "details" : [ "Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: \"Transfer-Encoding: gzip, chunked\" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.", "An HTTP-interpretation flaw was found in waitress which did not properly validate incoming HTTP headers. When parsing the Transfer-Encoding header, waitress would look only for a single string value. According to the HTTP standard, Transfer-Encoding should be a comma-separated list, with the inner-most encoding first, followed by any further transfer codings, ending with 'chunked'. Because of this flaw, requests sent with: \"Transfer-Encoding: gzip, chunked\" would get ignored, and waitress would use the Content-Length header instead to determine the body size of the HTTP message. A remote attacker could exploit this flaw to force waitress to accept potentially bad HTTP requests or treat a single request as multiple requests in the case of HTTP pipelining." ], "statement" : "All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low.\nIn Red Hat OpenStack Platform 13, because the flawed code is not used and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package.", "affected_release" : [ { "product_name" : "Red Hat OpenStack Platform 15.0 (Stein)", "release_date" : "2020-03-05T00:00:00Z", "advisory" : "RHSA-2020:0720", "cpe" : "cpe:/a:redhat:openstack:15::el8", "package" : "python-waitress-0:1.4.2-1.el8ost", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/clair-rhel8:v3.4.0-25", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-bridge-operator-bundle:v3.4.0-3", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-bridge-operator-rhel8:v3.4.0-17", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-builder-qemu-rhcos-rhel8:v3.4.0-17", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-builder-rhel8:v3.4.0-18", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-container-security-operator-bundle:v3.4.0-2", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-container-security-operator-rhel8:v3.4.0-2", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-openshift-bridge-rhel8-operator:v3.4.0-17", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-operator-bundle:v3.4.0-89", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-operator-rhel8:v3.4.0-132", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0420", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-rhel8:v3.4.0-51", "impact" : "low" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Fix deferred", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:ceph_storage:3", "impact" : "low" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Fix deferred", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:ceph_storage:4", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 16 (Train)", "fix_state" : "Affected", "package_name" : "python-waitress", "cpe" : "cpe:/a:redhat:openstack:16", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-16786\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16786\nhttps://docs.pylonsproject.org/projects/waitress/en/latest/#id6" ], "name" : "CVE-2019-16786", "csaw" : false }