HTTP Request Smuggling Affecting python3-waitress package, versions <0:2.0.0-1.el8ost
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL8-PYTHON3WAITRESS-4378317
- published26 Mar 2023
- disclosed17 Mar 2022
Introduced: 17 Mar 2022
CVE-2022-24761 (opens in a new tab)How to fix?
Upgrade RHEL:8 python3-waitress to version 0:2.0.0-1.el8ost or higher.
This issue was patched in RHSA-2022:1254.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python3-waitress package and not the python3-waitress package as distributed by RHEL.
See How to fix? for RHEL:8 relevant fixed versions and status.
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's int() to parse strings into integers, leading to +10 to be parsed as 10, or 0x01 to be parsed as 1, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1. A workaround is available. When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.
References
- https://access.redhat.com/security/cve/CVE-2022-24761
- https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
- https://github.com/Pylons/waitress/releases/tag/v2.1.1
- https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
- https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
- https://www.debian.org/security/2022/dsa-5138