what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 6 of 6 RSS Feed

CVE-2022-24761

Status Candidate

Overview

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1. A workaround is available. When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.

Related Files

Debian Security Advisory 5138-1
Posted May 28, 2022
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5138-1 - It was discovered that the Waitress WSGI server was susceptible to HTTP request smuggling in some scenarios when used behind a proxy.

tags | advisory, web
systems | linux, debian
advisories | CVE-2022-24761
SHA-256 | 2241679089dfb2966fd3c78912099e814e096ae44b74700360ba421e521a24f4
Download | Favorite | View
Red Hat Security Advisory 2022-1356-01
Posted Apr 22, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1356-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.10. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service
systems | linux, redhat
advisories | CVE-2022-0778, CVE-2022-21698, CVE-2022-24761
SHA-256 | 061e45d8bbc9a93e2f28aab072a54337c36f4d00744e80e74e7ff0724801de33
Download | Favorite | View
Red Hat Security Advisory 2022-1264-01
Posted Apr 8, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1264-01 - An update for python-waitress is now available for Red Hat OpenStack Platform 13 (Queens). Issues addressed include an HTTP request smuggling vulnerability.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2022-24761
SHA-256 | f2ec7a344df1638e50aaf4db618dc136414ed93c9e83bece4658b787037764a7
Download | Favorite | View
Red Hat Security Advisory 2022-1254-01
Posted Apr 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1254-01 - An update for python-waitress is now available for Red Hat OpenStack Platform 16.1 (Train). Issues addressed include a HTTP request smuggling vulnerability.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2022-24761
SHA-256 | effdda3045e7a5921902a2c1f7359835efbe8f6331dc378ecabd0276c8cb947b
Download | Favorite | View
Red Hat Security Advisory 2022-1253-01
Posted Apr 6, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1253-01 - An update for python-waitress is now available for Red Hat OpenStack Platform 16.2 (Train). Issues addressed include a HTTP request smuggling vulnerability.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2022-24761
SHA-256 | a94fd8ca850d99fc7d8963f1b2fa2844535a5f9a53a94a8fb414a75d8ca45e98
Download | Favorite | View
Ubuntu Security Notice USN-5364-1
Posted Apr 5, 2022
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 5364-1 - It was discovered that Waitress incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2022-24761
SHA-256 | d02fd9b20703fed5d2dd92f48f3e7b42993eeb7c991ce317b7dcb18538ec527e
Download | Favorite | View
Page 1 of 1
Back1Next

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    0 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    0 Files
  • 6
    Sep 6th
    0 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close