#VU61488 Inconsistent interpretation of HTTP requests in waitress - CVE-2022-24761
Published: March 21, 2022
Vulnerability identifier: #VU61488
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-24761
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
waitress
waitress
Software vendor:
Pylons Project
Pylons Project
Description
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validating if the incoming HTTP request matches the RFC7230 standard. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
Remediation
Install updates from vendor's website.