high
7.5
CWE
444
Advisory Published
Advisory Published
Updated

CVE-2022-24761: HTTP Request Smuggling in waitress

First published: Thu Mar 17 2022(Updated: )

### Impact When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: - The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits. - Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters ### Patches This has been fixed in Waitress 2.1.1 ### Workarounds When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead. ### References - https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Github issue tracker](https://github.com/Pylons/waitress/issues) (if not security related/sensitive) * Email us at [pylons-project-security@googlegroups.com](mailto:pylons-project-security@googlegroups.com) (If security related or sensitive)

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Agendaless Waitress<2.1.1
Debian Debian Linux=9.0
debian/waitress
1.2.0~b2-2+deb10u1
1.4.4-1.1+deb11u1
2.1.2-2
pip/waitress<2.1.1
2.1.1
<2.1.1
=9.0

Remedy

https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-24761?

    CVE-2022-24761 is a vulnerability in Waitress, a Web Server Gateway Interface server for Python.

  • What is the severity of CVE-2022-24761?

    The severity of CVE-2022-24761 is high with a CVSS score of 7.5.

  • What is the affected software for CVE-2022-24761?

    The affected software for CVE-2022-24761 includes Waitress versions 2.1.0 and prior, as well as Debian Linux versions 9.0 and the Debian package 'waitress'.

  • How does CVE-2022-24761 impact Waitress?

    CVE-2022-24761 can cause disagreement between Waitress and the frontend proxy on where one request starts and where another ends.

  • How can I fix CVE-2022-24761?

    To fix CVE-2022-24761, make sure to use Waitress version 2.1.1 or later and ensure that the proxy properly validates incoming HTTP requests according to the RFC7230 standard.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203