CVE Vulnerability

CVE-2022-31015

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to close the socket. Instead, that is always delegated to the main thread. There is no work-around for this issue. However, users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

5.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/Pylons/waitress/pull/377 Issue Tracking Patch
https://github.com/Pylons/waitress/issues/374 Exploit Issue Tracking
https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw Third Party Advisory
https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:agendaless:waitress:*:*:*:*:*:*:*:*
Information

Published : 2022-05-31 11:15

Updated : 2022-06-14 07:12

NVD link : CVE-2022-31015

Mitre link : CVE-2022-31015

Products Affected
No products.
CWE
CWE-248

Uncaught Exception

CWE-362