waitress 1.2.0b1 vulnerabilities

Known vulnerabilities in the waitress package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Missing Release of Resource after Effective Lifetime waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime due to the improper handling of socket connections when a remote client prematurely closes the connection, before `waitress` has had the opportunity to call `getpeername()`. An attacker can exhaust system resources and cause high CPU usage by repeatedly opening and closing connections, leading to a busy-loop in the server's socket handling. How to fix Missing Release of Resource after Effective Lifetime? Upgrade `waitress` to version 3.0.1 or higher.	[,3.0.1)
H HTTP Request Smuggling waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to HTTP Request Smuggling via the front-end proxy, due to incorrect validation. How to fix HTTP Request Smuggling? Upgrade `waitress` to version 2.1.1 or higher.	[,2.1.1)
H HTTP Request Smuggling waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to HTTP Request Smuggling. It is possible to conduct request smuggling by sending the `Content-Length` header twice. Waitress would header fold a double `Content-Length` header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to `0` internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress How to fix HTTP Request Smuggling? Upgrade `waitress` to version 1.4.0 or higher.	[,1.4.0)
H HTTP Request Smuggling waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to HTTP Request Smuggling. Potential HTTP pipelining issues and request smuggling attacks might be possible due to waitress not correctly responding to HTTP requests. Note: An incomplete fix was released in version 1.4.1. How to fix HTTP Request Smuggling? Upgrade `waitress` to version 1.4.2 or higher.	[,1.4.2)
H HTTP Request Smuggling waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to HTTP Request Smuggling. If a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This could lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. How to fix HTTP Request Smuggling? Upgrade `waitress` to version 1.4.0 or higher.	[,1.4.0)
H HTTP Request Smuggling waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to HTTP Request Smuggling. It would parse the `Transfer-Encoding` header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: `Transfer-Encoding: gzip, chunked` would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. How to fix HTTP Request Smuggling? Upgrade `waitress` to version 1.4.0 or higher.	[,1.4.0)

Vulnerability

Vulnerable Version

Missing Release of Resource after Effective Lifetime

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime due to the improper handling of socket connections when a remote client prematurely closes the connection, before waitress has had the opportunity to call getpeername(). An attacker can exhaust system resources and cause high CPU usage by repeatedly opening and closing connections, leading to a busy-loop in the server's socket handling.

How to fix Missing Release of Resource after Effective Lifetime?

Upgrade waitress to version 3.0.1 or higher.

[,3.0.1)

HTTP Request Smuggling

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the front-end proxy, due to incorrect validation.

How to fix HTTP Request Smuggling?

Upgrade waitress to version 2.1.1 or higher.

[,2.1.1)

HTTP Request Smuggling

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It is possible to conduct request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress

How to fix HTTP Request Smuggling?

Upgrade waitress to version 1.4.0 or higher.

[,1.4.0)

HTTP Request Smuggling

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Potential HTTP pipelining issues and request smuggling attacks might be possible due to waitress not correctly responding to HTTP requests.

Note: An incomplete fix was released in version 1.4.1.

How to fix HTTP Request Smuggling?

Upgrade waitress to version 1.4.2 or higher.

[,1.4.2)

HTTP Request Smuggling

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. If a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This could lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message.

How to fix HTTP Request Smuggling?

Upgrade waitress to version 1.4.0 or higher.

[,1.4.0)

HTTP Request Smuggling

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: Transfer-Encoding: gzip, chunked would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining.

How to fix HTTP Request Smuggling?

Upgrade waitress to version 1.4.0 or higher.

[,1.4.0)

waitress@1.2.0b1 vulnerabilities

Waitress WSGI server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?