{
  "threat_severity" : "Important",
  "public_date" : "2019-12-26T00:00:00Z",
  "bugzilla" : {
    "description" : "waitress: HTTP Request Smuggling through Invalid whitespace characters in headers",
    "id" : "1789807",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1789807"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.", "An HTTP-interpretation flaw was found in waitress, through version 1.4.0. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server, an HTTP request splitting could occur which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. The highest threat from this vulnerability is data integrity." ],
  "statement" : "All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low.\nFor Red Hat OpenStack Platform 13,  because the flaw has a lower impact and  the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 15.0 (Stein)",
    "release_date" : "2020-03-05T00:00:00Z",
    "advisory" : "RHSA-2020:0720",
    "cpe" : "cpe:/a:redhat:openstack:15::el8",
    "package" : "python-waitress-0:1.4.2-1.el8ost",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/clair-rhel8:v3.4.0-25",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-bridge-operator-bundle:v3.4.0-3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-bridge-operator-rhel8:v3.4.0-17",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-builder-qemu-rhcos-rhel8:v3.4.0-17",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-builder-rhel8:v3.4.0-18",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-container-security-operator-bundle:v3.4.0-2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-container-security-operator-rhel8:v3.4.0-2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-openshift-bridge-rhel8-operator:v3.4.0-17",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-operator-bundle:v3.4.0-89",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-operator-rhel8:v3.4.0-132",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-rhel8:v3.4.0-51",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "python-waitress",
    "cpe" : "cpe:/a:redhat:ceph_storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Fix deferred",
    "package_name" : "python-waitress",
    "cpe" : "cpe:/a:redhat:ceph_storage:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "python-waitress",
    "cpe" : "cpe:/a:redhat:openstack:13",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16 (Train)",
    "fix_state" : "Affected",
    "package_name" : "python-waitress",
    "cpe" : "cpe:/a:redhat:openstack:16",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-16789\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16789\nhttps://docs.pylonsproject.org/projects/waitress/en/latest/#id2" ],
  "name" : "CVE-2019-16789",
  "csaw" : false
}