Bug 2065086 (CVE-2022-24761) - CVE-2022-24761 waitress: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Summary: CVE-2022-24761 waitress: Inconsistent Interpretation of HTTP Requests ('HTTP ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24761
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2065792 2065790 2065791 2065795 2065796 2065797 2065798 2065799 2099298 2124988 2124989 2124990 2258844
Blocks: 2065087
TreeView+ depends on / blocked
 
Reported: 2022-03-17 10:36 UTC by TEJ RATHI
Modified: 2024-01-25 20:27 UTC (History)
21 users (show)

Fixed In Version: waitress 2.1.1
Doc Type: If docs needed, set a value
Doc Text:
An Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) flaw was found in Waitress when used behind a proxy that does not properly validate the incoming HTTP request. This flaw allows an attacker to smuggle requests via the front-end proxy to Waitress, resulting in a loss of data integrity.
Clone Of:
Environment:
Last Closed: 2022-04-07 14:27:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1253 0 None None None 2022-04-06 09:38:09 UTC
Red Hat Product Errata RHSA-2022:1254 0 None None None 2022-04-06 14:36:22 UTC
Red Hat Product Errata RHSA-2022:1264 0 None None None 2022-04-07 12:05:26 UTC

Description TEJ RATHI 2022-03-17 10:36:05 UTC 
When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.
This would allow requests to be smuggled via the front-end proxy to waitress and later behavior.

Affected Versions <=2.1.0.

References:
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
https://bugs.gentoo.org/835492
Comment 1 Sage McTaggart 2022-03-18 18:03:07 UTC 
Created python-waitress tracking bugs for this issue:

Affects: epel-all [bug 2065791]
Affects: fedora-all [bug 2065790]
Affects: openstack-rdo [bug 2065792]
Comment 3 Yadnyawalk Tale 2022-04-04 14:29:02 UTC 
Upstream fix:
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
Comment 4 errata-xmlrpc 2022-04-06 09:38:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:1253 https://access.redhat.com/errata/RHSA-2022:1253
Comment 5 errata-xmlrpc 2022-04-06 14:36:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:1254 https://access.redhat.com/errata/RHSA-2022:1254
Comment 6 errata-xmlrpc 2022-04-07 12:05:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 - ELS

Via RHSA-2022:1264 https://access.redhat.com/errata/RHSA-2022:1264
Comment 7 Product Security DevOps Team 2022-04-07 14:27:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24761
Note You need to log in before you can comment on or make changes to this bug.