CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49768 – Waitress has request processing race condition in HTTP pipelining with invalid first request
https://notcve.org/view.php?id=CVE-2024-49768
Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed. • https://github.com/Pylons/waitress/commit/e4359018537af376cf24bd13616d861e2fb76f65 https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj https://access.redhat.com/security/cve/CVE-2024-49768 https://bugzilla.redhat.com/show_bug.cgi?id=2322460 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49769 – Waitress has a denial of service leading to high CPU usage/resource exhaustion
https://notcve.org/view.php?id=CVE-2024-49769
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition. • https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c https://github.com/Pylons/waitress/issues/418 https://github.com/Pylons/waitress/pull/435 https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6 https://access.redhat.com/security/cve/CVE-2024-49769 https://bugzilla.redhat.com/show_bug.cgi?id=2322461 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42353 – WebOb's location header normalization during redirect leads to open redirect
https://notcve.org/view.php?id=CVE-2024-42353
WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8. • https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b https://access.redhat.com/security/cve/CVE-2024-42353 https://bugzilla.redhat.com/show_bug.cgi?id=2305004 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •