PyPi: Waitress

CVE-2022-31015

Safety vulnerability ID: 49257

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 31, 2022 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Waitress 2.1.2 includes a fix for CVE-2022-31015: Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to close the socket. Instead, that is always delegated to the main thread. There is no workaround for this issue, however, users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response.
https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw

Affected package

waitress

Latest version: 3.0.2

Waitress WSGI server

Affected versions

Fixed versions

Vulnerability changelog

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to close the socket. Instead, that is always delegated to the main thread. There is no work-around for this issue. However, users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response. See CVE-2022-31015.

CONFIRM:https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw: https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw
MISC:https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48: https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48
MISC:https://github.com/Pylons/waitress/issues/374: https://github.com/Pylons/waitress/issues/374
MISC:https://github.com/Pylons/waitress/pull/377: https://github.com/Pylons/waitress/pull/377

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.9

CVSS v3 Details

MEDIUM 5.9

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 4.3

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL