Waitress Security Vulnerabilities and Issues — Waitress CVE List

Lucene search

AgendalessWaitress

9 matches found

CVE•added 2019/12/20 11:15 p.m.•274 views

CVE-2019-16786

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the...

7.5CVSS7AI score0.00516EPSS

CVE•added 2019/12/20 11:15 p.m.•264 views

CVE-2019-16785

Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server ...

7.5CVSS7.1AI score0.00433EPSS

CVE•added 2019/12/26 5:15 p.m.•224 views

CVE-2019-16789

In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitesp...

8.2CVSS6.8AI score0.0035EPSS

CVE•added 2020/01/22 7:15 p.m.•169 views

CVE-2019-16792

Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Leng...

7.5CVSS6.9AI score0.00851EPSS

CVE•added 2022/03/17 1:15 p.m.•145 views

CVE-2022-24761

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and wher...

7.5CVSS7.5AI score0.00227EPSS

CVE•added 2022/05/31 11:15 p.m.•115 views

CVE-2022-31015

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing t...

6.5CVSS5.6AI score0.00443EPSS

CVE•added 2020/02/04 3:15 a.m.•103 views

CVE-2020-5236

Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and block...

6.8CVSS5.8AI score0.15498EPSS

CVE•added 2024/10/29 3:15 p.m.•77 views

CVE-2024-49768

Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when ...

9.1CVSS6.1AI score0.00031EPSS

CVE•added 2024/10/29 3:15 p.m.•61 views

CVE-2024-49769

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer e...

7.5CVSS7.5AI score0.00349EPSS