Vulnerabilities > Agendaless
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-10-29 | CVE-2024-49768 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Agendaless Waitress Waitress is a Web Server Gateway Interface server for Python 2 and 3. | 4.8 |
2024-10-29 | CVE-2024-49769 | Unspecified vulnerability in Agendaless Waitress Waitress is a Web Server Gateway Interface server for Python 2 and 3. | 7.5 |
2023-08-25 | CVE-2023-40587 | Pyramid is an open source Python web framework. | 5.3 |
2022-05-31 | CVE-2022-31015 | Unspecified vulnerability in Agendaless Waitress 2.1.0/2.1.1 Waitress is a Web Server Gateway Interface server for Python 2 and 3. | 5.9 |
2022-03-17 | CVE-2022-24761 | HTTP Request Smuggling vulnerability in multiple products Waitress is a Web Server Gateway Interface server for Python 2 and 3. | 7.5 |
2020-02-04 | CVE-2020-5236 | Resource Exhaustion vulnerability in Agendaless Waitress 1.4.2 Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. | 6.5 |
2020-01-22 | CVE-2019-16792 | HTTP Request Smuggling vulnerability in multiple products Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. | 7.5 |
2019-12-26 | CVE-2019-16789 | HTTP Request Smuggling vulnerability in multiple products In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. | 8.2 |
2019-12-20 | CVE-2019-16786 | HTTP Request Smuggling vulnerability in multiple products Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. | 7.5 |
2019-12-20 | CVE-2019-16785 | HTTP Request Smuggling vulnerability in multiple products Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. | 7.5 |