CVE-2019-16792: Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)

January 22, 2020 (updated January 30, 2020)

Waitress allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress treats the body of the request as a new request in HTTP pipelining.

References

nvd.nist.gov/vuln/detail/CVE-2019-16792

Code Behaviors & Features

Detect and mitigate CVE-2019-16792 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →