Waitress
CVE-2020-5236
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 pypi packages depend on waitress (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.4.2.
DescriptionNVD
Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible.
AnalysisAI
Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible. Affected products include: Agendaless Waitress. Version information: version 1.4.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for t
Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated medium severity (CVSS 5.9), this vulnerabili
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an
Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated high severity (CVSS 7.5), this vulnerability
Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated high severity (CVSS 7.5), this vulnerability
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that
Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated medium severity (CVSS 4.8), this vulnerabili
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today