CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-23829 – aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
https://notcve.org/view.php?id=CVE-2024-23829
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. • https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827 https://github.com/aio-libs/aiohttp/pull/8074 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7 https://access.redhat.com/security/cve/CVE-2024-23829 https://bugzilla.redhat. • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2023-49081 – aiohttp's ClientSession is vulnerable to CRLF injection via version
https://notcve.org/view.php?id=CVE-2023-49081
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. aiohttp es un framework cliente/servidor HTTP asíncrono para asyncio y Python. Una validación incorrecta hizo posible que un atacante modificara la solicitud HTTP (por ejemplo, para insertar un nuevo encabezado) o creara una nueva solicitud HTTP si el atacante controla la versión HTTP. • https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b https://github.com/aio-libs/aiohttp/pull/7835/files https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 https://access.redhat.com/security/cve/CVE-2023-49081 https://bugzilla.redhat.com/show_bug.cgi?id=2252235 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-49082 – aiohttp's ClientSession is vulnerable to CRLF injection via method
https://notcve.org/view.php?id=CVE-2023-49082
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0. aiohttp es un framework cliente/servidor HTTP asíncrono para asyncio y Python. • https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466 https://github.com/aio-libs/aiohttp/pull/7806/files https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx https://access.redhat.com/security/cve/CVE-2023-49082 https://bugzilla.redhat.com/show_bug.cgi?id=2252248 • CWE-20: Improper Input Validation CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47627 – Request smuggling in aiohttp
https://notcve.org/view.php?id=CVE-2023-47627
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. • https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM https://access.redhat.co • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47641 – Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp
https://notcve.org/view.php?id=CVE-2023-47641
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. • https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •