Vulnerability Details CVE-2024-49769
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 48.5%
CVSS Severity
CVSS v3 Score 7.5
References
- https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c
- https://github.com/Pylons/waitress/issues/418
- https://github.com/Pylons/waitress/pull/435
- https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
- https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html
Products affected by CVE-2024-49769
-
cpe:2.3:a:agendaless:waitress:-
-
cpe:2.3:a:agendaless:waitress:0.1
-
cpe:2.3:a:agendaless:waitress:0.2
-
cpe:2.3:a:agendaless:waitress:0.3
-
cpe:2.3:a:agendaless:waitress:0.4
-
cpe:2.3:a:agendaless:waitress:0.5
-
cpe:2.3:a:agendaless:waitress:0.6
-
cpe:2.3:a:agendaless:waitress:0.6.1
-
cpe:2.3:a:agendaless:waitress:0.7
-
cpe:2.3:a:agendaless:waitress:0.8
-
cpe:2.3:a:agendaless:waitress:0.8.1
-
cpe:2.3:a:agendaless:waitress:0.8.10
-
cpe:2.3:a:agendaless:waitress:0.8.11
-
cpe:2.3:a:agendaless:waitress:0.8.2
-
cpe:2.3:a:agendaless:waitress:0.8.3
-
cpe:2.3:a:agendaless:waitress:0.8.4
-
cpe:2.3:a:agendaless:waitress:0.8.5
-
cpe:2.3:a:agendaless:waitress:0.8.6
-
cpe:2.3:a:agendaless:waitress:0.8.7
-
cpe:2.3:a:agendaless:waitress:0.8.8
-
cpe:2.3:a:agendaless:waitress:0.8.9
-
cpe:2.3:a:agendaless:waitress:0.9.0
-
cpe:2.3:a:agendaless:waitress:1.0.0
-
cpe:2.3:a:agendaless:waitress:1.0.1
-
cpe:2.3:a:agendaless:waitress:1.0.2
-
cpe:2.3:a:agendaless:waitress:1.1.0
-
cpe:2.3:a:agendaless:waitress:1.2.0
-
cpe:2.3:a:agendaless:waitress:1.2.1
-
cpe:2.3:a:agendaless:waitress:1.3.0
-
cpe:2.3:a:agendaless:waitress:1.3.1
-
cpe:2.3:a:agendaless:waitress:1.4.0
-
cpe:2.3:a:agendaless:waitress:1.4.1
-
cpe:2.3:a:agendaless:waitress:1.4.2
-
cpe:2.3:a:agendaless:waitress:1.4.3
-
cpe:2.3:a:agendaless:waitress:1.4.4
-
cpe:2.3:a:agendaless:waitress:2.0.0
-
cpe:2.3:a:agendaless:waitress:2.1.0
-
cpe:2.3:a:agendaless:waitress:2.1.1
-
cpe:2.3:a:agendaless:waitress:2.1.2
-
cpe:2.3:a:agendaless:waitress:3.0.0