Agendaless Waitress vulnerabilities

9 known vulnerabilities affecting agendaless/waitress.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2024-49769HIGHCVSS 7.5fixed in 3.0.12024-10-29
CVE-2024-49769 [HIGH] CWE-772 CVE-2024-49769: Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes th Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to
nvd
CVE-2024-49768MEDIUMCVSS 4.8≥ 2.0.0, < 3.0.12024-10-29
CVE-2024-49768 [MEDIUM] CWE-367 CVE-2024-49768: Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a req Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we s
nvd
CVE-2022-31015MEDIUMCVSS 5.9≥ 2.1.0, < 2.1.22022-05-31
CVE-2022-31015 [MEDIUM] CWE-248 CVE-2022-31015: Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2. Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has b
nvd
CVE-2022-24761HIGHCVSS 7.5fixed in 2.1.12022-03-17
CVE-2022-24761 [HIGH] CWE-444 CVE-2022-24761: Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2 Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled vi
nvd
CVE-2020-5236MEDIUMCVSS 6.5v1.4.22020-02-04
CVE-2020-5236 [MEDIUM] CWE-400 CVE-2020-5236: Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid cha Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to
nvd
CVE-2019-16792HIGHCVSS 7.5≤ 1.3.12020-01-22
CVE-2019-16792 [HIGH] CWE-444 CVE-2019-16792: Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would
nvd
CVE-2019-16789HIGHCVSS 8.2≤ 1.4.02019-12-26
CVE-2019-16789 [HIGH] CWE-444 CVE-2019-16789: In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid reques In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would g
nvd
CVE-2019-16786HIGHCVSS 7.5fixed in 1.3.12019-12-20
CVE-2019-16786 [HIGH] CWE-444 CVE-2019-16786: Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single s Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further tr
nvd
CVE-2019-16785HIGHCVSS 7.5≤ 1.3.12019-12-20
CVE-2019-16785 [HIGH] CWE-444 CVE-2019-16785: Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the l Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way a
nvd