CVE-2022-24761

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-24761
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-03-17 13:15:00 UTC
Updated2022-09-23 18:57:00 UTC
DescriptionWaitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1. A workaround is available. When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.

Risk And Classification

Problem Types: CWE-444

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Agendaless Waitress All All All All
Operating System Debian Debian Linux 9.0 All All All

References

ReferenceSourceLinkTags
[SECURITY] [DLA 3000-1] waitress security update MLIST lists.debian.org
Release v2.1.1: Merge pull request from GHSA-4f7p-27jc-3c36 · Pylons/waitress · GitHub MISC github.com
Merge pull request from GHSA-4f7p-27jc-3c36 · Pylons/waitress@9e0b8c8 · GitHub MISC github.com
Debian -- Security Information -- DSA-5138-1 waitress DEBIAN www.debian.org
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in waitress · Advisory · Pylons/waitress · GitHub CONFIRM github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 179276 Debian Security Update for waitress (DLA 3000-1)
  • 179293 Debian Security Update for waitress (DSA 5138-1)
  • 183960 Debian Security Update for waitress (CVE-2022-24761)
  • 198729 Ubuntu Security Notification for Waitress Vulnerability (USN-5364-1)
  • 240202 Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:1253)
  • 240203 Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:1254)
  • 240204 Red Hat Update for OpenStack Platform 13.0 (RHSA-2022:1264)
  • 354473 Amazon Linux Security Advisory for python-waitress : ALAS2022-2022-235
  • 354558 Amazon Linux Security Advisory for python-waitress : ALAS-2022-235
  • 671899 EulerOS Security Update for python-waitress (EulerOS-SA-2022-1948)
  • 752723 SUSE Enterprise Linux Security Update for python-waitress (SUSE-SU-2022:3731-1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report