what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 6 of 6 RSS Feed

CVE-2022-24761

Status Candidate

Overview

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1. A workaround is available. When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.

Related Files

Debian Security Advisory 5138-1
Posted May 28, 2022
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5138-1 - It was discovered that the Waitress WSGI server was susceptible to HTTP request smuggling in some scenarios when used behind a proxy.

tags | advisory, web
systems | linux, debian
advisories | CVE-2022-24761
SHA-256 | 2241679089dfb2966fd3c78912099e814e096ae44b74700360ba421e521a24f4
Download | Favorite | View
Red Hat Security Advisory 2022-1356-01
Posted Apr 22, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1356-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.10. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service
systems | linux, redhat
advisories | CVE-2022-0778, CVE-2022-21698, CVE-2022-24761
SHA-256 | 061e45d8bbc9a93e2f28aab072a54337c36f4d00744e80e74e7ff0724801de33
Download | Favorite | View
Red Hat Security Advisory 2022-1264-01
Posted Apr 8, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1264-01 - An update for python-waitress is now available for Red Hat OpenStack Platform 13 (Queens). Issues addressed include an HTTP request smuggling vulnerability.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2022-24761
SHA-256 | f2ec7a344df1638e50aaf4db618dc136414ed93c9e83bece4658b787037764a7
Download | Favorite | View
Red Hat Security Advisory 2022-1254-01
Posted Apr 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1254-01 - An update for python-waitress is now available for Red Hat OpenStack Platform 16.1 (Train). Issues addressed include a HTTP request smuggling vulnerability.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2022-24761
SHA-256 | effdda3045e7a5921902a2c1f7359835efbe8f6331dc378ecabd0276c8cb947b
Download | Favorite | View
Red Hat Security Advisory 2022-1253-01
Posted Apr 6, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1253-01 - An update for python-waitress is now available for Red Hat OpenStack Platform 16.2 (Train). Issues addressed include a HTTP request smuggling vulnerability.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2022-24761
SHA-256 | a94fd8ca850d99fc7d8963f1b2fa2844535a5f9a53a94a8fb414a75d8ca45e98
Download | Favorite | View
Ubuntu Security Notice USN-5364-1
Posted Apr 5, 2022
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 5364-1 - It was discovered that Waitress incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2022-24761
SHA-256 | d02fd9b20703fed5d2dd92f48f3e7b42993eeb7c991ce317b7dcb18538ec527e
Download | Favorite | View
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close