CVE-2019-16792
📋 TL;DR
CVE-2019-16792 is an HTTP request smuggling vulnerability in Waitress web server that allows attackers to bypass security controls by sending duplicate Content-Length headers. This affects all systems running Waitress versions 1.3.1 and earlier, potentially enabling attackers to poison caches, bypass authentication, or perform other attacks.
💻 Affected Systems
- Waitress
📦 What is this software?
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Waitress by Agendaless
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison web caches, bypass authentication mechanisms, perform cross-user attacks, or smuggle requests to backend systems that interpret them differently.
Likely Case
Cache poisoning leading to stored XSS, authentication bypass for protected endpoints, or request smuggling to backend applications.
If Mitigated
Limited impact with proper network segmentation, WAF protection, and updated systems.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with duplicate Content-Length headers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.0 and later
Vendor Advisory: https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
Restart Required: Yes
Instructions:
1. Update Waitress to version 1.4.0 or later using pip: pip install --upgrade waitress>=1.4.0
2. Restart all Waitress services
3. Verify the update with: waitress-serve --version
🔧 Temporary Workarounds
WAF/Proxy Filtering
allConfigure web application firewalls or reverse proxies to reject requests with duplicate Content-Length headers.
🧯 If You Can't Patch
- Deploy a reverse proxy or WAF that can detect and block duplicate Content-Length headers
- Implement network segmentation to isolate vulnerable Waitress instances from critical backend systems
🔍 How to Verify
Check if Vulnerable:
Check Waitress version: waitress-serve --version | grep -E '1\.(0|1|2|3)\.[0-9]+'Check Version:
waitress-serve --versionVerify Fix Applied:
Confirm version is 1.4.0 or higher: waitress-serve --version | grep -E '1\.(4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20)\.[0-9]+'📡 Detection & Monitoring
Log Indicators:
- Multiple Content-Length headers in single requests
- Malformed HTTP requests
- Unexpected request processing errors
Network Indicators:
- HTTP requests with duplicate Content-Length headers
- Abnormal request/response patterns
SIEM Query:
source="waitress.log" AND "Content-Length" AND (duplicate OR multiple OR "Content-Length, Content-Length")🔗 References
- https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
- https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65
- https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
- https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
- https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65
- https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
- https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
