We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-49769

Waitress has a denial of service leading to high CPU usage/resource exhaustion



Description

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.

Reserved 2024-10-18 | Published 2024-10-29 | Updated 2024-11-17 | Assigner GitHub_M


HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-772: Missing Release of Resource after Effective Lifetime

Product status

< 3.0.1
affected

References

github.com/...itress/security/advisories/GHSA-3f84-rpwh-47g6

github.com/Pylons/waitress/issues/418

github.com/Pylons/waitress/pull/435

github.com/...ommit/1ae4e894c9f76543bee06584001583fc6fa8c95c

cve.org (CVE-2024-49769)

nvd.nist.gov (CVE-2024-49769)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-49769

Support options

Helpdesk Chat, Email, Knowledgebase