{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T19:01:03.645","vulnerabilities":[{"cve":{"id":"CVE-2019-16792","sourceIdentifier":"security-advisories@github.com","published":"2020-01-22T19:15:11.140","lastModified":"2026-06-17T02:22:48.853","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0."},{"lang":"es","value":"Waitress hasta la versión 1.3.1, permite el tráfico no autorizado de peticiones mediante el envío del encabezado Content-Length dos veces. Waitress doblará un encabezado Content-Length  doble y, al no ser capaz de convertir el valor ahora separado por comas en un entero, establecerá a Content-Length en 0 internamente. Si dos encabezados Content-Length se envían en una sola petición, Waitress trataría la petición como si no tiene cuerpo, por lo que tratará el cuerpo de la petición como una nueva petición en HTTP pipelining. Este problema es corregido en Waitress versión 1.4.0."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"Pylons","product":"Waitress","versions":[{"version":"<= 1.3.1","lessThanOrEqual":"1.3.1","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","baseScore":5.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-444"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-444"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:agendaless:waitress:*:*:*:*:*:*:*:*","versionEndIncluding":"1.3.1","matchCriteriaId":"2A7E9C06-F243-47BE-984D-8247F2F179FE"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*","matchCriteriaId":"C2A5B24D-BDF2-423C-98EA-A40778C01A05"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"DEECE5FC-CACF-4496-A3E7-164736409252"}]}]}],"references":[{"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","source":"security-advisories@github.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes"]},{"url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]}]}}]}