{"id":"PYSEC-2020-178","details":"Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.","aliases":["CVE-2019-16792","GHSA-4ppp-gpcr-7qf6","GHSA-j7j6-7hfx-5522"],"modified":"2023-11-08T04:01:21.890990Z","published":"2020-01-22T19:15:00Z","references":[{"type":"WEB","url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"type":"FIX","url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65"},{"type":"ADVISORY","url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-j7j6-7hfx-5522"}],"affected":[{"package":{"name":"waitress","ecosystem":"PyPI","purl":"pkg:pypi/waitress"},"ranges":[{"type":"GIT","repo":"https://github.com/Pylons/waitress","events":[{"introduced":"0"},{"fixed":"575994cd42e83fd772a5f7ec98b2c56751bd3f65"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.0"}]}],"versions":["0.1","0.2","0.3","0.4","0.5","0.6","0.6.1","0.7","0.8","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","0.8.10","0.8.11b0","0.9.0b0","0.9.0b1","0.9.0","1.0a1","1.0a2","1.0.0","1.0.1","1.0.2","1.1.0","1.2.0b1","1.2.0b2","1.2.0b3","1.2.0","1.2.1","1.3.0b0","1.3.0","1.3.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/waitress/PYSEC-2020-178.yaml"}}],"schema_version":"1.7.3"}