GHSA-3f84-rpwh-47g6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3f84-rpwh-47g6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-3f84-rpwh-47g6/GHSA-3f84-rpwh-47g6.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3f84-rpwh-47g6
- Aliases
- Published
- 2024-10-29T14:33:00Z
- Modified
- 2024-10-29T20:08:17.984885Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Waitress vulnerable to DoS leading to high CPU usage/resource exhaustion
- Details
-
Impact
When a remote client closes the connection before waitress has had the opportunity to call
getpeername()waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function.A remote attacker could run waitress out of available sockets with very little resources required.
Patches
Waitress 3.0.1 contains fixes that remove the race condition.
Workarounds
No work-around.
References
- https://github.com/Pylons/waitress/issues/418
- https://github.com/Pylons/waitress/pull/435
- Database specific
{ "nvd_published_at": "2024-10-29T15:15:12Z", "cwe_ids": [ "CWE-772" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-10-29T14:33:00Z" }- References
-
- https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
- https://nvd.nist.gov/vuln/detail/CVE-2024-49769
- https://github.com/Pylons/waitress/issues/418
- https://github.com/Pylons/waitress/pull/435
- https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c
- https://github.com/Pylons/waitress
Affected packages
PyPI / waitress
Package
- Name
- waitress
- View open source insights on deps.dev
- Purl
- pkg:pypi/waitress
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.0.1
Affected versions
0.*
0.1
0.2
0.3
0.4
0.5
0.6
0.6.1
0.7
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11b0
0.9.0b0
0.9.0b1
0.9.0
1.*
1.0a1
1.0a2
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0b1
1.2.0b2
1.2.0b3
1.2.0
1.2.1
1.3.0b0
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
2.*
2.0.0b0
2.0.0b1
2.0.0
2.1.0b0
2.1.0
2.1.1
2.1.2
3.*
3.0.0