Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 6080ac9ff2b0 · 2026-01-22T22:35:36.000Z
GHSA-4ppp-gpcr-7qf6 GHSA-j7j6-7hfx-5522 GHSA-vqxh-445g-37fc GHSA-vqxh-445g-37fc
diff --git a/advisories/github-reviewed/2019/12/GHSA-4ppp-gpcr-7qf6/GHSA-4ppp-gpcr-7qf6.json b/advisories/github-reviewed/2019/12/GHSA-4ppp-gpcr-7qf6/GHSA-4ppp-gpcr-7qf6.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4ppp-gpcr-7qf6",
-  "modified": "2022-03-24T17:52:19Z",
+  "modified": "2026-01-22T22:34:11Z",
   "published": "2019-12-20T23:04:35Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2019-16792"
+  ],
   "summary": "HTTP Request Smuggling: Content-Length Sent Twice in Waitress",
   "details": "### Impact\n\nWaitress would header fold a double `Content-Length` header and due to being unable to cast the now comma separated value to an integer would set the `Content-Length` to 0 internally.\n\nSo a request with:\n\n```\nContent-Length: 10\nContent-Length: 10\n```\n\nwould get transformed to:\n\n```\nContent-Length: 10, 10\n```\n\nWhich would Waitress would then internally set to `Content-Lenght: 0`.\n\nWaitress would then treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining.\n\n### Patches\n\nThis issue is fixed in Waitress 1.4.0. This brings a range of changes to harden Waitress against potential HTTP request confusions, and may change the behaviour of Waitress behind non-conformist proxies. \n\nThe Pylons Project recommends upgrading as soon as possible, while validating that the changes in Waitress don't cause any changes in behavior.\n\n### Workarounds\n\nVarious reverse proxies may have protections against sending potentially bad HTTP requests to the backend, and or hardening against potential issues like this. If the reverse proxy doesn't use HTTP/1.1 for connecting to the backend issues are also somewhat mitigated, as HTTP pipelining does not exist in HTTP/1.0 and Waitress will close the connection after every single request (unless the Keep Alive header is explicitly sent... so this is not a fool proof security method).\n\n### Issues/more security issues:\n\n* open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)\n* email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)",
   "severity": [],
@@ -33,6 +35,10 @@
       "type": "WEB",
       "url": "https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16792"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65"
@@ -46,12 +52,16 @@
       "url": "https://github.com/Pylons/waitress"
     },
     {
-      "type": "ADVISORY",
-      "url": "https://github.com/advisories/GHSA-j7j6-7hfx-5522"
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-178.yaml"
     },
     {
       "type": "WEB",
-      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-178.yaml"
+      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-j7j6-7hfx-5522/GHSA-j7j6-7hfx-5522.json b/advisories/github-reviewed/2022/05/GHSA-j7j6-7hfx-5522/GHSA-j7j6-7hfx-5522.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j7j6-7hfx-5522",
-  "modified": "2022-06-27T16:10:41Z",
+  "modified": "2026-01-22T22:34:03Z",
   "published": "2022-05-24T17:07:06Z",
-  "aliases": [
-    "CVE-2019-16792"
-  ],
-  "summary": "Inconsistent Interpretation of HTTP Requests in Waitress",
-  "details": "Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.",
+  "withdrawn": "2026-01-22T22:34:03Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Inconsistent Interpretation of HTTP Requests in Waitress",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-36p8-mvp6-cv38. This link is maintained to preserve external references.\n\n## Original Description\nWaitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2026/01/GHSA-vqxh-445g-37fc/GHSA-vqxh-445g-37fc.json b/advisories/github-reviewed/2026/01/GHSA-vqxh-445g-37fc/GHSA-vqxh-445g-37fc.json
@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vqxh-445g-37fc",
+  "modified": "2026-01-22T22:33:22Z",
+  "published": "2026-01-22T21:33:47Z",
+  "aliases": [
+    "CVE-2025-22234"
+  ],
+  "summary": "Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide",
+  "details": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.springframework.security:spring-security-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.3.8"
+            },
+            {
+              "fixed": "6.3.9"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "6.3.8"
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.springframework.security:spring-security-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.4.4"
+            },
+            {
+              "fixed": "6.4.5"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "6.4.4"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22234"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/spring-projects/spring-security"
+    },
+    {
+      "type": "WEB",
+      "url": "https://spring.io/security/cve-2025-22234"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-208"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-22T22:33:22Z",
+    "nvd_published_at": "2026-01-22T21:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-vqxh-445g-37fc/GHSA-vqxh-445g-37fc.json b/advisories/unreviewed/2026/01/GHSA-vqxh-445g-37fc/GHSA-vqxh-445g-37fc.json
