Inconsistent interpretation of HTTP requests in waitress - CVE-2022-24761
Published: March 21, 2022
Vulnerability identifier: #VU61488
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-24761
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Software vendor:
Pylons Project
Pylons Project
Vulnerable software:
waitress
waitress
Detailed vulnerability description
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validating if the incoming HTTP request matches the RFC7230 standard. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
How to mitigate CVE-2022-24761
Install updates from vendor's website.