{"url":"http://public2.vulnerablecode.io/api/packages/13523?format=json","purl":"pkg:pypi/waitress@0.8.2","type":"pypi","namespace":"","name":"waitress","version":"0.8.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.0.1","latest_non_vulnerable_version":"3.0.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7844?format=json","vulnerability_id":"VCID-1r4j-ghj8-3ban","summary":"Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like \"Bad-header: xxxxxxxxxxxxxxx\\x10\" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5236.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5236.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5236","reference_id":"","reference_type":"","scores":[{"value":"0.13332","scoring_system":"epss","scoring_elements":"0.94294","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5236"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-155.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-155.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1831068","reference_id":"1831068","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1831068"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5236","reference_id":"CVE-2020-5236","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5236"},{"reference_url":"https://github.com/advisories/GHSA-73m2-3pwg-5fgc","reference_id":"GHSA-73m2-3pwg-5fgc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-73m2-3pwg-5fgc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13759?format=json","purl":"pkg:pypi/waitress@1.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.3"}],"aliases":["CVE-2020-5236","GHSA-73m2-3pwg-5fgc","PYSEC-2020-155"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1r4j-ghj8-3ban"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/345535?format=json","vulnerability_id":"VCID-7547-p35z-wfa4","summary":"Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: \"Transfer-Encoding: gzip, chunked\" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13549?format=json","purl":"pkg:pypi/waitress@1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-dquv-jt2f-tugp"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-nrqn-f83b-tyes"},{"vulnerability":"VCID-pm64-wu2s-hkf7"},{"vulnerability":"VCID-s62b-fg7j-w3dd"},{"vulnerability":"VCID-uz1j-vbmn-tbbf"},{"vulnerability":"VCID-x6p6-3yhd-x3b6"},{"vulnerability":"VCID-zsqv-ecr4-ufgg"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.3.1"}],"aliases":["PYSEC-2019-67"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7547-p35z-wfa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/345534?format=json","vulnerability_id":"VCID-dquv-jt2f-tugp","summary":"Waitress through version 1.3.1 implemented a \"MAY\" part of the RFC7230 which states: \"Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.\" Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13550?format=json","purl":"pkg:pypi/waitress@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-pm64-wu2s-hkf7"},{"vulnerability":"VCID-s62b-fg7j-w3dd"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.0"}],"aliases":["PYSEC-2019-66"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dquv-jt2f-tugp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7807?format=json","vulnerability_id":"VCID-nky6-1rw7-fycf","summary":"In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16789.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16789.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16789","reference_id":"","reference_type":"","scores":[{"value":"0.00882","scoring_system":"epss","scoring_elements":"0.75707","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16789"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/advisories/GHSA-968f-66r5-5v74","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-968f-66r5-5v74"},{"reference_url":"https://github.com/github/advisory-review/pull/14604","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-review/pull/14604"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"},{"reference_url":"https://github.com/Pylons/waitress/commit/ddb65b489d01d696afa1695b75fdd5df3e4ffdf8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/ddb65b489d01d696afa1695b75fdd5df3e4ffdf8"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-138.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-138.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789807","reference_id":"1789807","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789807"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947433","reference_id":"947433","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947433"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16789","reference_id":"CVE-2019-16789","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16789"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-968f-66r5-5v74","reference_id":"GHSA-968f-66r5-5v74","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-968f-66r5-5v74"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0420","reference_id":"RHSA-2021:0420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0420"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13551?format=json","purl":"pkg:pypi/waitress@1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/13758?format=json","purl":"pkg:pypi/waitress@1.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.2"}],"aliases":["CVE-2019-16789","GHSA-968f-66r5-5v74","PYSEC-2019-138"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nky6-1rw7-fycf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7827?format=json","vulnerability_id":"VCID-nrqn-f83b-tyes","summary":"Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16792","reference_id":"","reference_type":"","scores":[{"value":"0.00851","scoring_system":"epss","scoring_elements":"0.75212","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16792"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/advisories/GHSA-j7j6-7hfx-5522","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j7j6-7hfx-5522"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-178.yaml","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-178.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16792","reference_id":"CVE-2019-16792","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16792"},{"reference_url":"https://github.com/advisories/GHSA-4ppp-gpcr-7qf6","reference_id":"GHSA-4ppp-gpcr-7qf6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4ppp-gpcr-7qf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13550?format=json","purl":"pkg:pypi/waitress@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-pm64-wu2s-hkf7"},{"vulnerability":"VCID-s62b-fg7j-w3dd"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.0"}],"aliases":["CVE-2019-16792","GHSA-4ppp-gpcr-7qf6","GHSA-j7j6-7hfx-5522","PYSEC-2020-178"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nrqn-f83b-tyes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/339765?format=json","vulnerability_id":"VCID-pm64-wu2s-hkf7","summary":"HTTP Request Smuggling: Invalid whitespace characters in headers in Waitress","references":[{"reference_url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"},{"reference_url":"https://github.com/advisories/GHSA-m5ff-3wj3-8ph4","reference_id":"GHSA-m5ff-3wj3-8ph4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m5ff-3wj3-8ph4"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4","reference_id":"GHSA-m5ff-3wj3-8ph4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13551?format=json","purl":"pkg:pypi/waitress@1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.1"}],"aliases":["GHSA-m5ff-3wj3-8ph4","GMS-2019-112"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pm64-wu2s-hkf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/345536?format=json","vulnerability_id":"VCID-s62b-fg7j-w3dd","summary":"In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://github.com/github/advisory-review/pull/14604","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/github/advisory-review/pull/14604"},{"reference_url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13551?format=json","purl":"pkg:pypi/waitress@1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.1"}],"aliases":["PYSEC-2019-68"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s62b-fg7j-w3dd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7806?format=json","vulnerability_id":"VCID-uz1j-vbmn-tbbf","summary":"Waitress through version 1.3.1 implemented a \"MAY\" part of the RFC7230 which states: \"Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.\" Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16785.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16785.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16785","reference_id":"","reference_type":"","scores":[{"value":"0.01023","scoring_system":"epss","scoring_elements":"0.77554","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16785"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-136.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-136.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791420","reference_id":"1791420","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791420"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306","reference_id":"947306","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16785","reference_id":"CVE-2019-16785","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16785"},{"reference_url":"https://github.com/advisories/GHSA-pg36-wpm5-g57p","reference_id":"GHSA-pg36-wpm5-g57p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pg36-wpm5-g57p"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0420","reference_id":"RHSA-2021:0420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0420"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13550?format=json","purl":"pkg:pypi/waitress@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-pm64-wu2s-hkf7"},{"vulnerability":"VCID-s62b-fg7j-w3dd"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.0"}],"aliases":["CVE-2019-16785","GHSA-pg36-wpm5-g57p","PYSEC-2019-136"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uz1j-vbmn-tbbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/345545?format=json","vulnerability_id":"VCID-x6p6-3yhd-x3b6","summary":"Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13550?format=json","purl":"pkg:pypi/waitress@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-pm64-wu2s-hkf7"},{"vulnerability":"VCID-s62b-fg7j-w3dd"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.0"}],"aliases":["PYSEC-2020-197"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x6p6-3yhd-x3b6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7805?format=json","vulnerability_id":"VCID-zsqv-ecr4-ufgg","summary":"Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: \"Transfer-Encoding: gzip, chunked\" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0720","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16786.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16786.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16786","reference_id":"","reference_type":"","scores":[{"value":"0.00795","scoring_system":"epss","scoring_elements":"0.74267","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16786"},{"reference_url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-137.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-137.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791415","reference_id":"1791415","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1791415"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306","reference_id":"947306","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947306"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16786","reference_id":"CVE-2019-16786","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16786"},{"reference_url":"https://github.com/advisories/GHSA-g2xc-35jw-c63p","reference_id":"GHSA-g2xc-35jw-c63p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g2xc-35jw-c63p"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0420","reference_id":"RHSA-2021:0420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0420"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13549?format=json","purl":"pkg:pypi/waitress@1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-dquv-jt2f-tugp"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-nrqn-f83b-tyes"},{"vulnerability":"VCID-pm64-wu2s-hkf7"},{"vulnerability":"VCID-s62b-fg7j-w3dd"},{"vulnerability":"VCID-uz1j-vbmn-tbbf"},{"vulnerability":"VCID-x6p6-3yhd-x3b6"},{"vulnerability":"VCID-zsqv-ecr4-ufgg"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/13550?format=json","purl":"pkg:pypi/waitress@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r4j-ghj8-3ban"},{"vulnerability":"VCID-nky6-1rw7-fycf"},{"vulnerability":"VCID-pm64-wu2s-hkf7"},{"vulnerability":"VCID-s62b-fg7j-w3dd"},{"vulnerability":"VCID-zxdx-rpmq-pygz"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@1.4.0"}],"aliases":["CVE-2019-16786","GHSA-g2xc-35jw-c63p","PYSEC-2019-137"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zsqv-ecr4-ufgg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3022?format=json","vulnerability_id":"VCID-zxdx-rpmq-pygz","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24761.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24761.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24761","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52456","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24761"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0"},{"reference_url":"https://github.com/Pylons/waitress/releases/tag/v2.1.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://github.com/Pylons/waitress/releases/tag/v2.1.1"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2022-169.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2022-169.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"reference_url":"https://www.debian.org/security/2022/dsa-5138","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:44Z/"}],"url":"https://www.debian.org/security/2022/dsa-5138"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008013","reference_id":"1008013","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008013"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2065086","reference_id":"2065086","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2065086"},{"reference_url":"https://security.archlinux.org/AVG-2723","reference_id":"AVG-2723","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2723"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24761","reference_id":"CVE-2022-24761","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24761"},{"reference_url":"https://github.com/advisories/GHSA-4f7p-27jc-3c36","reference_id":"GHSA-4f7p-27jc-3c36","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4f7p-27jc-3c36"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1253","reference_id":"RHSA-2022:1253","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1253"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1254","reference_id":"RHSA-2022:1254","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1254"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1264","reference_id":"RHSA-2022:1264","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1264"},{"reference_url":"https://usn.ubuntu.com/5364-1/","reference_id":"USN-5364-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5364-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25813?format=json","purl":"pkg:pypi/waitress@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6rjm-x56p-5ucs"},{"vulnerability":"VCID-c2tm-rbsm-y7dg"},{"vulnerability":"VCID-zyt6-3km5-j7cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@2.1.1"}],"aliases":["CVE-2022-24761","GHSA-4f7p-27jc-3c36","PYSEC-2022-169"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zxdx-rpmq-pygz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9253?format=json","vulnerability_id":"VCID-zyt6-3km5-j7cq","summary":"Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49769.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49769.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49769","reference_id":"","reference_type":"","scores":[{"value":"0.01524","scoring_system":"epss","scoring_elements":"0.81575","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49769"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/Pylons/waitress","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Pylons/waitress"},{"reference_url":"https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c"},{"reference_url":"https://github.com/Pylons/waitress/issues/418","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/issues/418"},{"reference_url":"https://github.com/Pylons/waitress/pull/435","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/pull/435"},{"reference_url":"https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T14:56:24Z/"}],"url":"https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-211.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-211.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49769","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49769"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086468","reference_id":"1086468","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086468"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322461","reference_id":"2322461","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322461"},{"reference_url":"https://github.com/advisories/GHSA-3f84-rpwh-47g6","reference_id":"GHSA-3f84-rpwh-47g6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3f84-rpwh-47g6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10145","reference_id":"RHSA-2024:10145","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10145"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10535","reference_id":"RHSA-2024:10535","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10535"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10815","reference_id":"RHSA-2024:10815","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10815"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9613","reference_id":"RHSA-2024:9613","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9613"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9618","reference_id":"RHSA-2024:9618","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9618"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9623","reference_id":"RHSA-2024:9623","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9623"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0201","reference_id":"RHSA-2025:0201","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0201"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1191","reference_id":"RHSA-2025:1191","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1191"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1192","reference_id":"RHSA-2025:1192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1192"},{"reference_url":"https://usn.ubuntu.com/7115-1/","reference_id":"USN-7115-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7115-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42658?format=json","purl":"pkg:pypi/waitress@3.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@3.0.1"}],"aliases":["CVE-2024-49769","GHSA-3f84-rpwh-47g6","PYSEC-2024-211"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zyt6-3km5-j7cq"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/waitress@0.8.2"}