Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31015

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to close the socket. Instead, that is always delegated to the main thread. There is no work-around for this issue. However, users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 6.5, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction requiring only low-level privileges . The vulnerability impacts and availability (service disruption) for affected systems. Impacting 1 product from agendaless organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2022, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2022-05-31T23:15:07.960

Last Modified

2024-11-21T07:03:43.063

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-248
CWE-362

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	agendaless	waitress	< 2.1.2	Yes

References

https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48 Patch, Third Party Advisory ([email protected])
https://github.com/Pylons/waitress/issues/374 Exploit, Issue Tracking, Patch, Third Party Advisory ([email protected])
https://github.com/Pylons/waitress/pull/377 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw Third Party Advisory ([email protected])
https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Pylons/waitress/issues/374 Exploit, Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Pylons/waitress/pull/377 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For agendaless's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.