CVE-2022-24761 — HTTP Request Smuggling in Waitress

CWE-444 — HTTP Request Smuggling10 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 42.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pylons Waitress Agendaless Waitress Debian Linux

Timeline

PublishedMar 17

Latest updateOct 15

Description

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5pylons/waitress< 2.1.1

▶NVDagendaless/waitress< 2.1.1

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

HTTP Request Smuggling in waitress↗2022-03-18

▶

OSV

HTTP Request Smuggling in waitress↗2022-03-18

▶

OSV

CVE-2022-24761: Waitress is a Web Server Gateway Interface server for Python 2 and 3↗2022-03-17

▶

CVEList

HTTP Request Smuggling in waitress↗2022-03-17

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: DBTier (waitress) — CVE-2022-24761↗2022-10-15

▶

Ubuntu

Waitress vulnerability↗2022-04-05

▶

Red Hat

waitress: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')↗2022-03-17

▶

Microsoft

HTTP Request Smuggling in waitress↗2022-03-08

▶

Debian

CVE-2022-24761: waitress - Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using...↗2022

▶