CVE-2022-24761

Advisory

Pheonix-waitress 2.1.1 includes a fix for CVE-2022-24761: When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's 'int()' to parse strings into integers, leading to '+10' to be parsed as '10'', or '0x01' to be parsed as '1', where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. A workaround is available. When deploying a proxy in front of waitress, turning on functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality.
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

Affected package

Affected versions

Fixed versions

Vulnerability changelog

-----

Security Bugfix
~~~~~~~~~~~~~~~

- Waitress now validates that chunked encoding extensions are valid, and don't
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and
return a 400 Bad Request. This stops potential HTTP desync/HTTP request
smuggling. Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

- Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
longer supported. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

- Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as ``+10`` which would
previously get parsed as ``10`` and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761
• https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
• https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
• https://github.com/Pylons/waitress/releases/tag/v2.1.1
• https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
• https://www.debian.org/security/2022/dsa-5138