CVE-2020-5236 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-5236 Interim 1 18 2025-02-17T01:41:17Z current 2021-05-30T14:36:05Z 2025-02-17T01:41:17Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-5236 Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 HPE Helion OpenStack Cloud 8 SUSE Enterprise Storage 5 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE OpenStack Cloud 6-LTSS SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 python-waitress python3-waitress python-waitress as a component of HPE Helion OpenStack 8 python-waitress as a component of HPE Helion OpenStack Cloud 8 python-waitress as a component of SUSE Enterprise Storage 5 python3-waitress as a component of SUSE Linux Enterprise Module for Basesystem 15 python-waitress as a component of SUSE Linux Enterprise Module for Basesystem 15 python3-waitress as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 python-waitress as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 python-waitress as a component of SUSE OpenStack Cloud 6-LTSS python-waitress as a component of SUSE OpenStack Cloud 7 python-waitress as a component of SUSE OpenStack Cloud 8 python-waitress as a component of SUSE OpenStack Cloud 9 python-waitress as a component of SUSE OpenStack Cloud Crowbar 8 python-waitress as a component of SUSE OpenStack Cloud Crowbar 9 Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible. CVE-2020-5236 HPE Helion OpenStack 8:python-waitress HPE Helion OpenStack Cloud 8:python-waitress SUSE Enterprise Storage 5:python-waitress SUSE Linux Enterprise Module for Basesystem 15 SP1:python-waitress SUSE Linux Enterprise Module for Basesystem 15 SP1:python3-waitress SUSE Linux Enterprise Module for Basesystem 15:python-waitress SUSE Linux Enterprise Module for Basesystem 15:python3-waitress SUSE OpenStack Cloud 6-LTSS:python-waitress SUSE OpenStack Cloud 7:python-waitress SUSE OpenStack Cloud 8:python-waitress SUSE OpenStack Cloud 9:python-waitress SUSE OpenStack Cloud Crowbar 8:python-waitress SUSE OpenStack Cloud Crowbar 9:python-waitress moderate 6.8 AV:N/AC:L/Au:S/C:N/I:N/A:C 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H