Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv3

CVE-2020-5236

Published: 04/02/2020 Updated: 06/02/2020
CVSS v2 Base Score: 6.8 | Impact Score: 6.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 606
Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C
Subscribe to Waitress

Vulnerability Summary

Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an malicious user to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

agendaless waitress 1.4.2

Github Repositories

https://github.com/motikan2010/CVE-2020-5236

Waitress 1.4.2 ReDoS - CVE-2020-5236 (Blog Sample Code)

Waitress 142 ReDoS - CVE-2020-5236 Waitress version 142 allows a DOS attack When waitress receives a header that contains invalid characters When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions This

https://github.com/mam-dev/security-constraints

Fetches security vulnerabilities and creates pip-constraints based on them.

security-constraints Security-constraints is a command-line application used to fetch security vulnerabilities in Python packages from external sources and from them generate version constraints for the packages The constraints can then be given to pip install with the -c option, either on the command line or in a requirements file Installation Just install it with pip: pip i

References

CWE-400https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgchttps://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1fhttps://nvd.nist.govhttps://github.com/motikan2010/CVE-2020-5236
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7028memory leaklog injectionCVE-2024-3400CVE-2022-48695CVE-2022-48675CVE-2024-34487CVE-2024-33792spoof
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook