NVD Vulnerability Detail

CVE-2024-49768

Summary	Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed. Waitress 3.0.1 fixes the race condition. As a workaround, disable channel_request_lookahead, this is set to 0 by default disabling this feature.
Publication Date	Oct. 30, 2024, 12:15 a.m.
Registration Date	Oct. 30, 2024, 5 a.m.
Last Update	Nov. 8, 2024, 2:28 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:agendaless:waitress::::::::		2.0.0			3.0.1

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj		Vendor Advisory
2	https://github.com/Pylons/waitress/commit/e4359018537af376cf24bd13616d861e2fb76f65		Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-367	Time-of-check Time-of-use (TOCTOU) 競合状態	https://cwe.mitre.org/data/definitions/367.html
2	CWE-444	HTTP リクエストスマグリング	https://cwe.mitre.org/data/definitions/444.html

JVN Vulnerability Information

Agendaless Consulting の Waitress における Time-of-check Time-of-use (TOCTOU) 競合状態の脆弱性

Title	Agendaless Consulting の Waitress における Time-of-check Time-of-use (TOCTOU) 競合状態の脆弱性
Summary	Agendaless Consulting の Waitress には、Time-of-check Time-of-use (TOCTOU) 競合状態の脆弱性、HTTP リクエストスマグリングに関する脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 29, 2024, midnight
Registration Date	Nov. 8, 2024, 10:27 a.m.
Last Update	Nov. 8, 2024, 10:27 a.m.

Affected System

Agendaless Consulting

Waitress 2.0.0 以上 3.0.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-49768	https://www.cve.org/CVERecord?id=CVE-2024-49768
National Vulnerability Database (NVD)
2	CVE-2024-49768	https://nvd.nist.gov/vuln/detail/CVE-2024-49768

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-367	https://cwe.mitre.org/data/definitions/367.html
2	CWE-444	https://cwe.mitre.org/data/definitions/444.html

その他

No	Name	URL
関連文書
1	github.com (e4359018537af376cf24bd13616d861e2fb76f65)	https://github.com/Pylons/waitress/commit/e4359018537af376cf24bd13616d861e2fb76f65
2	github.com (GHSA-9298-4cf8-g4wj)	https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj

Change Log

No	Changed Details	Date of change
1	[2024年11月08日] 掲載	Nov. 8, 2024, 10:27 a.m.