CVE-2024-49769Missing Release of Resource after Effective Lifetime in Waitress

CWE-772Missing Release of Resource after Effective Lifetime10 documents8 sources
Severity
7.5HIGHNVD
EPSS
1.2%
top 21.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pylons WaitressAgendaless Waitress
Timeline
PublishedOct 29
Latest updateNov 19

Description

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5pylons/waitress< 3.0.1
NVDagendaless/waitress< 3.0.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Waitress vulnerabilities2024-11-19
CVEList
Waitress has a denial of service leading to high CPU usage/resource exhaustion2024-10-29
OSV
Waitress vulnerable to DoS leading to high CPU usage/resource exhaustion2024-10-29
GHSA
Waitress vulnerable to DoS leading to high CPU usage/resource exhaustion2024-10-29
OSV
CVE-2024-49769: Waitress is a Web Server Gateway Interface server for Python 2 and 32024-10-29

📋Vendor Advisories

4
Ubuntu
Waitress vulnerabilities2024-11-19
Red Hat
waitress: Waitress has a denial of service leading to high CPU usage/resource exhaustion2024-10-29
Microsoft
Waitress has a denial of service leading to high CPU usage/resource exhaustion2024-10-08
Debian
CVE-2024-49769: waitress - Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a rem...2024
CVE-2024-49769 — Pylons Waitress vulnerability | cvebase