CVE-2023-47641 – Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp
https://notcve.org/view.php?id=CVE-2023-47641
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. • https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2023-37276 – aiohttp vulnerable to HTTP request smuggling
https://notcve.org/view.php?id=CVE-2023-37276
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. • https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w https://hackerone.com/reports/2001873 https://access.redhat.com/security/cve/CVE-2023-37276 https://bugzilla.redhat.com/show_bug.cgi?id=2224185 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2022-33124
https://notcve.org/view.php?id=CVE-2022-33124
AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application ** EN DISPUTA ** AIOHTTP 3.8.1 puede reportar un "ValueError: Invalid IPv6 URL", que puede llevar a una denegación de servicio (DoS). NOTA: múltiples terceros disputan esta cuestión porque no hay ningún ejemplo de un contexto en el que se produciría una denegación de servicio, y muchos contextos comunes tienen manejo de excepciones en la aplicación que llama • https://github.com/aio-libs/aiohttp/issues/6772 •
CVE-2021-21330 – Open redirect vulnerability in aiohttp
https://notcve.org/view.php?id=CVE-2021-21330
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. • https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25 https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5 https://pypi.org/project/aiohttp https://secu • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2018-1000814
https://notcve.org/view.php?id=CVE-2018-1000814
aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value. aio-libs aiohttp-session, en versiones 2.6.0 y anteriores, contiene una vulnerabilidad desconocida en EncryptedCookieStorage y NaClCookieStorage que puede resultar en sesiones que no expiran/infinitas. El ataque parece ser explotable mediante la recreación de una cookie tras la expiración con el mismo valor. • https://github.com/aio-libs/aiohttp-session/issues/325 https://github.com/aio-libs/aiohttp-session/pull/331 • CWE-613: Insufficient Session Expiration •