Waitress has a denial of service leading to high CPU usage/resource exhaustion
Description
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
waitressPyPI | < 3.0.1 | 3.0.1 |
Affected products
29- ghsa-coords28 versionspkg:pypi/waitresspkg:rpm/opensuse/python-waitress&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-waitress&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-waitress-doc&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-waitress&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/python-waitress&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python-waitress&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/python-waitress&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/python-waitress-doc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-waitress-doc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-waitress-doc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-waitress-doc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/python-waitress-doc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS
< 3.0.1+ 27 more
- (no CPE)range: < 3.0.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 3.0.1-1.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 1.4.3-150000.3.9.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- (no CPE)range: < 2.1.2-150400.12.7.1
- Pylons/waitressv5Range: < 3.0.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-3f84-rpwh-47g6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-49769ghsaADVISORY
- github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95cghsax_refsource_MISCWEB
- github.com/Pylons/waitress/issues/418ghsax_refsource_MISCWEB
- github.com/Pylons/waitress/pull/435ghsax_refsource_MISCWEB
- github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2024-211.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2024/11/msg00012.htmlghsaWEB
News mentions
0No linked articles in our index yet.