VDB

GCVE-VVD-MAGEIA-2022-182

GCVE-VVD-MAGEIA-2022-182
Advisory Published
Vulnetix · Advisory published May 15, 2022
When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python’s `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1
Download JSON Open in Console

Affected Products

VendorProductVersionsPlatforms
Mageiapython-waitress0 (affected), 2.1.1-1.mga8 (unaffected)

Aliases

CVE-2022-24761

Transitive aliases

GHSA-4f7p-27jc-3c36CVE-2022-31015MSRC_CVE-2022-31015PYSEC-2022-205GHSA-f5x9-8jwc-25rwOPENSUSE-SU-2025:15108-1BDU:2022-05762CNVD-2022-21483GSD-2022-31015OPENSUSE-SU-2024:12346-1

References

Updated python-waitress packages fix security vulnerability
advisory
Updated python-waitress packages fix security vulnerability
issue
Updated python-waitress packages fix security vulnerability
advisory

Browse GCVE Records

100 records in the GCVE database · Updated April 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

Open in Console Download JSON
$ Console Community · 100/wk Open console ›