medium
6.8
CWE
400
Advisory Published
Advisory Published
Updated

CVE-2020-5236: Catastrophic backtracking in regex allows Denial of Service in Waitress

First published: Tue Feb 04 2020(Updated: )

### Impact When waitress receives a header that contains invalid characters it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This would allow an attacker to send a single request with an invalid header and take the service offline. Invalid header example: ``` Bad-header: xxxxxxxxxxxxxxx\x10 ``` Increasing the number of `x`'s in the header will increase the amount of time Waitress spends in the regular expression engine. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. ### Patches The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible. ### Workarounds If you have deployed a reverse proxy in front of Waitress it may already be rejecting requests that include invalid headers. ### Thanks The Pylons Project would like to thank [Fil Zembowicz](https://github.com/fzembow) for reaching out and disclosing this vulnerability! ### References Catastrophic backtracking explained: https://www.regular-expressions.info/catastrophic.html ### For more information If you have any questions or comments about this advisory: - open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related) - email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
pip/waitress=1.4.2
1.4.3
Agendaless Waitress=1.4.2

Remedy

https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the impact of CVE-2020-5236?

    An attacker can send a single request with an invalid header, causing the regular expression engine to backtrack and consume 100% CPU, blocking other interactions.

  • How does CVE-2020-5236 affect the Waitress package?

    The vulnerability affects Waitress version 1.4.2 and can be remedied by updating to version 1.4.3.

  • What is the severity of CVE-2020-5236?

    The severity of CVE-2020-5236 is medium with a CVSS score of 5.7.

  • Where can I find more information about CVE-2020-5236?

    You can find more information about CVE-2020-5236 on the following references: [GitHub Advisory](https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc), [GitHub Commit](https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-5236).

  • How do I fix CVE-2020-5236?

    To fix CVE-2020-5236, you need to update the Waitress package to version 1.4.3.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203