CVE-2022-24761

Name of the Vulnerable Software and Affected Versions Waitress versions 2.1.0 and prior

Description The issue is related to the handling of HTTP requests in Waitress, a Web Server Gateway Interface server for Python 2 and 3. When used behind a proxy that does not properly validate incoming HTTP requests according to the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and ends. This can allow requests to be smuggled via the front-end proxy to Waitress, potentially leading to data integrity issues. Two classes of vulnerability contribute to this issue: the use of Python's int() to parse strings into integers, which can lead to incorrect parsing (e.g., +10 being parsed as 10, or 0x01 as 1), and Waitress's handling of chunk extensions, where it discards them without validating for illegal characters.

Recommendations For versions 2.1.0 and prior, upgrade to Waitress 2.1.1 to patch the vulnerability. As a temporary workaround, when deploying a proxy in front of Waitress, turn on all functionality to ensure the request matches the RFC7230 standard. However, certain proxy servers may not have this functionality, so upgrading to the latest version of Waitress is recommended.