CVE-2023-49081 – aiohttp's ClientSession is vulnerable to CRLF injection via version
https://notcve.org/view.php?id=CVE-2023-49081
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. aiohttp es un framework cliente/servidor HTTP asíncrono para asyncio y Python. Una validación incorrecta hizo posible que un atacante modificara la solicitud HTTP (por ejemplo, para insertar un nuevo encabezado) o creara una nueva solicitud HTTP si el atacante controla la versión HTTP. • https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b https://github.com/aio-libs/aiohttp/pull/7835/files https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 https://access.redhat.com/security/cve/CVE-2023-49081 https://bugzilla.redhat.com/show_bug.cgi?id=2252235 • CWE-20: Improper Input Validation •
CVE-2023-49082 – aiohttp's ClientSession is vulnerable to CRLF injection via method
https://notcve.org/view.php?id=CVE-2023-49082
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0. aiohttp es un framework cliente/servidor HTTP asíncrono para asyncio y Python. • https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466 https://github.com/aio-libs/aiohttp/pull/7806/files https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx https://access.redhat.com/security/cve/CVE-2023-49082 https://bugzilla.redhat.com/show_bug.cgi?id=2252248 • CWE-20: Improper Input Validation CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVE-2023-47627 – Request smuggling in aiohttp
https://notcve.org/view.php?id=CVE-2023-47627
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. • https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM https://access.redhat.co • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2023-47641 – Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp
https://notcve.org/view.php?id=CVE-2023-47641
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. • https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2023-37276 – aiohttp vulnerable to HTTP request smuggling
https://notcve.org/view.php?id=CVE-2023-37276
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. • https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w https://hackerone.com/reports/2001873 https://access.redhat.com/security/cve/CVE-2023-37276 https://bugzilla.redhat.com/show_bug.cgi?id=2224185 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •