{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","type":"deb","namespace":"debian","name":"waitress","version":"3.0.2-2","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35465?format=json","vulnerability_id":"VCID-2tuq-pc83-cqe8","summary":"Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: \"Transfer-Encoding: gzip, chunked\" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16786.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16786.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16786","reference_id":"","reference_type":"","scores":[{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74325","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74356","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74318","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74351","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74352","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74343","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16786"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16786"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-137.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-137.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791415","reference_id":"1791415","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791415"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306","reference_id":"947306","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16786","reference_id":"CVE-2019-16786","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16786"},{"reference_url":"https://github.com/advisories/GHSA-g2xc-35jw-c63p","reference_id":"GHSA-g2xc-35jw-c63p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g2xc-35jw-c63p"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0420","reference_id":"RHSA-2021:0420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0420"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134147?format=json","purl":"pkg:deb/debian/waitress@1.4.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2019-16786","GHSA-g2xc-35jw-c63p","PYSEC-2019-137"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2tuq-pc83-cqe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35487?format=json","vulnerability_id":"VCID-3664-qefb-hkct","summary":"Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16792","reference_id":"","reference_type":"","scores":[{"value":"0.00851","scoring_system":"epss","scoring_elements":"0.75289","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00851","scoring_system":"epss","scoring_elements":"0.75257","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00851","scoring_system":"epss","scoring_elements":"0.75293","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00851","scoring_system":"epss","scoring_elements":"0.75267","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00851","scoring_system":"epss","scoring_elements":"0.75286","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00851","scoring_system":"epss","scoring_elements":"0.75281","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16792"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/advisories/GHSA-j7j6-7hfx-5522","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j7j6-7hfx-5522"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-178.yaml","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-178.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16792","reference_id":"CVE-2019-16792","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16792"},{"reference_url":"https://github.com/advisories/GHSA-4ppp-gpcr-7qf6","reference_id":"GHSA-4ppp-gpcr-7qf6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4ppp-gpcr-7qf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134147?format=json","purl":"pkg:deb/debian/waitress@1.4.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2019-16792","GHSA-4ppp-gpcr-7qf6","GHSA-j7j6-7hfx-5522","PYSEC-2020-178"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3664-qefb-hkct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35505?format=json","vulnerability_id":"VCID-5g9e-fz5j-5fg6","summary":"Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like \"Bad-header: xxxxxxxxxxxxxxx\\x10\" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5236.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5236.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5236","reference_id":"","reference_type":"","scores":[{"value":"0.13332","scoring_system":"epss","scoring_elements":"0.94321","published_at":"2026-06-09T12:55:00Z"},{"value":"0.13332","scoring_system":"epss","scoring_elements":"0.94316","published_at":"2026-06-08T12:55:00Z"},{"value":"0.13332","scoring_system":"epss","scoring_elements":"0.94315","published_at":"2026-06-06T12:55:00Z"},{"value":"0.13332","scoring_system":"epss","scoring_elements":"0.94314","published_at":"2026-06-05T12:55:00Z"},{"value":"0.13332","scoring_system":"epss","scoring_elements":"0.94306","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5236"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-155.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-155.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1831068","reference_id":"1831068","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1831068"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5236","reference_id":"CVE-2020-5236","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5236"},{"reference_url":"https://github.com/advisories/GHSA-73m2-3pwg-5fgc","reference_id":"GHSA-73m2-3pwg-5fgc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-73m2-3pwg-5fgc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134152?format=json","purl":"pkg:deb/debian/waitress@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2020-5236","GHSA-73m2-3pwg-5fgc","PYSEC-2020-155"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5g9e-fz5j-5fg6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35466?format=json","vulnerability_id":"VCID-9gra-5w8b-mfa2","summary":"Waitress through version 1.3.1 implemented a \"MAY\" part of the RFC7230 which states: \"Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.\" Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16785.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16785.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16785","reference_id":"","reference_type":"","scores":[{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74325","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74352","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74343","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01023","scoring_system":"epss","scoring_elements":"0.77595","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01023","scoring_system":"epss","scoring_elements":"0.77632","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01023","scoring_system":"epss","scoring_elements":"0.77623","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16785"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16785"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-136.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-136.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791420","reference_id":"1791420","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791420"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306","reference_id":"947306","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16785","reference_id":"CVE-2019-16785","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16785"},{"reference_url":"https://github.com/advisories/GHSA-pg36-wpm5-g57p","reference_id":"GHSA-pg36-wpm5-g57p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pg36-wpm5-g57p"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0420","reference_id":"RHSA-2021:0420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0420"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134147?format=json","purl":"pkg:deb/debian/waitress@1.4.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2019-16785","GHSA-pg36-wpm5-g57p","PYSEC-2019-136"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9gra-5w8b-mfa2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4946?format=json","vulnerability_id":"VCID-gnaw-ht2x-9bas","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24761.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24761.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24761","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.5253","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52471","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52514","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52492","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.5252","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52539","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24761"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0"},{"reference_url":"https://github.com/Pylons/waitress/releases/tag/v2.1.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://github.com/Pylons/waitress/releases/tag/v2.1.1"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2022-169.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2022-169.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://www.debian.org/security/2022/dsa-5138","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://www.debian.org/security/2022/dsa-5138"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008013","reference_id":"1008013","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008013"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2065086","reference_id":"2065086","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2065086"},{"reference_url":"https://security.archlinux.org/AVG-2723","reference_id":"AVG-2723","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2723"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24761","reference_id":"CVE-2022-24761","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24761"},{"reference_url":"https://github.com/advisories/GHSA-4f7p-27jc-3c36","reference_id":"GHSA-4f7p-27jc-3c36","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4f7p-27jc-3c36"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1253","reference_id":"RHSA-2022:1253","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1253"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1254","reference_id":"RHSA-2022:1254","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1254"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1264","reference_id":"RHSA-2022:1264","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1264"},{"reference_url":"https://usn.ubuntu.com/5364-1/","reference_id":"USN-5364-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5364-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134155?format=json","purl":"pkg:deb/debian/waitress@2.1.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2022-24761","GHSA-4f7p-27jc-3c36","PYSEC-2022-169"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gnaw-ht2x-9bas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36097?format=json","vulnerability_id":"VCID-r9h3-c2kh-a3ey","summary":"Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to close the socket. Instead, that is always delegated to the main thread. There is no work-around for this issue. However, users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31015.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31015.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31015","reference_id":"","reference_type":"","scores":[{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64856","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64861","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64844","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64855","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64866","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00483","scoring_system":"epss","scoring_elements":"0.65588","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31015"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:46:10Z/"}],"url":"https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48"},{"reference_url":"https://github.com/Pylons/waitress/issues/374","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:46:10Z/"}],"url":"https://github.com/Pylons/waitress/issues/374"},{"reference_url":"https://github.com/Pylons/waitress/pull/377","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:46:10Z/"}],"url":"https://github.com/Pylons/waitress/pull/377"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:46:10Z/"}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2022-205.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2022-205.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31015","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31015"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012315","reference_id":"1012315","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012315"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2092246","reference_id":"2092246","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2092246"},{"reference_url":"https://github.com/advisories/GHSA-f5x9-8jwc-25rw","reference_id":"GHSA-f5x9-8jwc-25rw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f5x9-8jwc-25rw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134152?format=json","purl":"pkg:deb/debian/waitress@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134157?format=json","purl":"pkg:deb/debian/waitress@2.1.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2022-31015","GHSA-f5x9-8jwc-25rw","PYSEC-2022-205"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9h3-c2kh-a3ey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36916?format=json","vulnerability_id":"VCID-trp4-phyv-bfb2","summary":"Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed. Waitress 3.0.1 fixes the race condition. As a workaround, disable channel_request_lookahead, this is set to 0 by default disabling this feature.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49768.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49768.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49768","reference_id":"","reference_type":"","scores":[{"value":"0.00572","scoring_system":"epss","scoring_elements":"0.69098","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00572","scoring_system":"epss","scoring_elements":"0.69091","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00572","scoring_system":"epss","scoring_elements":"0.69094","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00572","scoring_system":"epss","scoring_elements":"0.69101","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00572","scoring_system":"epss","scoring_elements":"0.69078","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49768"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/e4359018537af376cf24bd13616d861e2fb76f65","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-29T14:54:02Z/"}],"url":"https://github.com/Pylons/waitress/commit/e4359018537af376cf24bd13616d861e2fb76f65"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-29T14:54:02Z/"}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-210.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-210.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086467","reference_id":"1086467","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086467"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322460","reference_id":"2322460","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322460"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49768","reference_id":"CVE-2024-49768","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49768"},{"reference_url":"https://github.com/advisories/GHSA-9298-4cf8-g4wj","reference_id":"GHSA-9298-4cf8-g4wj","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9298-4cf8-g4wj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10145","reference_id":"RHSA-2024:10145","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10145"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10535","reference_id":"RHSA-2024:10535","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10535"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10815","reference_id":"RHSA-2024:10815","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10815"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9613","reference_id":"RHSA-2024:9613","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9613"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9618","reference_id":"RHSA-2024:9618","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9618"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9623","reference_id":"RHSA-2024:9623","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9623"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0201","reference_id":"RHSA-2025:0201","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0201"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1191","reference_id":"RHSA-2025:1191","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1191"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1192","reference_id":"RHSA-2025:1192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1192"},{"reference_url":"https://usn.ubuntu.com/7115-1/","reference_id":"USN-7115-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7115-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134152?format=json","purl":"pkg:deb/debian/waitress@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134159?format=json","purl":"pkg:deb/debian/waitress@3.0.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2024-49768","GHSA-9298-4cf8-g4wj","PYSEC-2024-210"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-trp4-phyv-bfb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36917?format=json","vulnerability_id":"VCID-ujpr-gc5n-s3bc","summary":"Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49769.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49769.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49769","reference_id":"","reference_type":"","scores":[{"value":"0.01524","scoring_system":"epss","scoring_elements":"0.81639","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01524","scoring_system":"epss","scoring_elements":"0.81624","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01524","scoring_system":"epss","scoring_elements":"0.81631","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01524","scoring_system":"epss","scoring_elements":"0.81629","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49769"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49769","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49769"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c"},{"reference_url":"https://github.com/Pylons/waitress/issues/418","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/issues/418"},{"reference_url":"https://github.com/Pylons/waitress/pull/435","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/pull/435"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-211.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-211.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086468","reference_id":"1086468","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086468"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322461","reference_id":"2322461","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322461"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49769","reference_id":"CVE-2024-49769","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49769"},{"reference_url":"https://github.com/advisories/GHSA-3f84-rpwh-47g6","reference_id":"GHSA-3f84-rpwh-47g6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f84-rpwh-47g6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10145","reference_id":"RHSA-2024:10145","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10145"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10535","reference_id":"RHSA-2024:10535","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10535"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10815","reference_id":"RHSA-2024:10815","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10815"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9613","reference_id":"RHSA-2024:9613","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9613"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9618","reference_id":"RHSA-2024:9618","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9618"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9623","reference_id":"RHSA-2024:9623","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9623"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0201","reference_id":"RHSA-2025:0201","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0201"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1191","reference_id":"RHSA-2025:1191","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1191"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1192","reference_id":"RHSA-2025:1192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1192"},{"reference_url":"https://usn.ubuntu.com/7115-1/","reference_id":"USN-7115-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7115-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134160?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134159?format=json","purl":"pkg:deb/debian/waitress@3.0.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2024-49769","GHSA-3f84-rpwh-47g6","PYSEC-2024-211"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ujpr-gc5n-s3bc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35467?format=json","vulnerability_id":"VCID-zd7n-85nm-93cm","summary":"In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16789.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16789.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16789","reference_id":"","reference_type":"","scores":[{"value":"0.00882","scoring_system":"epss","scoring_elements":"0.75746","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00882","scoring_system":"epss","scoring_elements":"0.7577","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00882","scoring_system":"epss","scoring_elements":"0.75773","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01002","scoring_system":"epss","scoring_elements":"0.774","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01002","scoring_system":"epss","scoring_elements":"0.77388","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01002","scoring_system":"epss","scoring_elements":"0.77379","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16789"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/advisories/GHSA-968f-66r5-5v74","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-968f-66r5-5v74"},{"reference_url":"https://github.com/github/advisory-review/pull/14604","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-review/pull/14604"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"},{"reference_url":"https://github.com/Pylons/waitress/commit/ddb65b489d01d696afa1695b75fdd5df3e4ffdf8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/ddb65b489d01d696afa1695b75fdd5df3e4ffdf8"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-138.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-138.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789807","reference_id":"1789807","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789807"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947433","reference_id":"947433","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947433"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16789","reference_id":"CVE-2019-16789","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16789"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-968f-66r5-5v74","reference_id":"GHSA-968f-66r5-5v74","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-968f-66r5-5v74"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0420","reference_id":"RHSA-2021:0420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0420"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/134147?format=json","purl":"pkg:deb/debian/waitress@1.4.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134148?format=json","purl":"pkg:deb/debian/waitress@1.4.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@1.4.4-1.1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134146?format=json","purl":"pkg:deb/debian/waitress@2.1.2-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@2.1.2-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134150?format=json","purl":"pkg:deb/debian/waitress@3.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/134149?format=json","purl":"pkg:deb/debian/waitress@3.0.2-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}],"aliases":["CVE-2019-16789","GHSA-968f-66r5-5v74","PYSEC-2019-138"],"risk_score":3.7,"exploitability":"0.5","weighted_severity":"7.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zd7n-85nm-93cm"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/waitress@3.0.2-2%3Fdistro=trixie"}