In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. Upstream patch: https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 References: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
Created python-waitress tracking bugs for this issue: Affects: epel-all [bug 1789810] Affects: fedora-all [bug 1789809]
External References: https://docs.pylonsproject.org/projects/waitress/en/latest/#id2
While Red Hat Quay declares a dependency on python-waitress, it doesn't appear to be used in the code. Setting the impact to low for Red Hat Quay. It may be fixed in a future version.
Created python-waitress tracking bugs for this issue: Affects: openstack-rdo [bug 1790780]
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16789
Statement: All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low. For Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420