Conversation
![private-semgrep-app[bot]](https://avatars.githubusercontent.com/in/948798?s=60&v=4){kind=small}
| MarkupSafe==2.0.1 | ||
| requests==2.27.1 | ||
| urllib3==1.26.8 | ||
| waitress==2.1.1 // nosemgrep |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 11 lists a dependency (waitress) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of waitress are vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Time-of-check Time-of-use (TOCTOU) Race Condition. When request lookahead is enabled, it is possible for an attacker to send a first request that errors out, as well as a second request that is serviced by the worker thread while the connection should be closed. This finding is specific to the command line tool waitress-serve.
To resolve this comment:
Check if you have set --channel-request-lookahead to any value other than 0, e.g. waitress-serve --channel-request-lookahead=4.
- If you're affected, upgrade this dependency to at least version 3.0.1 at requirements.txt.
- If you're not affected, comment
/fp we don't use this [condition]
You can view more details on this finding in the Semgrep AppSec Platform here.
| MarkupSafe==2.0.1 | ||
| requests==2.27.1 | ||
| urllib3==1.26.8 | ||
| waitress==2.1.1 // nosemgrep |
There was a problem hiding this comment.
Legal Risk
waitress 2.1.1 was released under the ZPL-2.1 license, a license that
is currently prohibited by your organization. Merging is blocked until this is resolved.
Recommendation
Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license.
| MarkupSafe==2.0.1 | ||
| requests==2.27.1 | ||
| urllib3==1.26.8 | ||
| waitress==2.1.1 // nosemgrep |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 11 lists a dependency (waitress) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of waitress are vulnerable to Missing Release of Resource after Effective Lifetime. It is possible for a remote client to close the connection before waitress is done cleaning up said connection. If this happens, the main thread will continuously attempt to write to a socket that no longer exists, leading to a busy loop. An attacker could, with few resources, take up all available sockets from waitress this way.
To resolve this comment:
Upgrade this dependency to at least version 3.0.1 at requirements.txt.
You can view more details on this finding in the Semgrep AppSec Platform here.
1 participant
No description provided.