CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52304 – aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions
https://notcve.org/view.php?id=CVE-2024-52304
18 Nov 2024 — aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fix... • https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52303 – aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method
https://notcve.org/view.php?id=CVE-2024-52303
18 Nov 2024 — aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares wi... • https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42367 – In aiohttp, compressed files as symlinks are not protected from path traversal
https://notcve.org/view.php?id=CVE-2024-42367
09 Aug 2024 — aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative t... • https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177 • CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30251 – Denial of service when trying to parse malformed POST requests in aiohttp
https://notcve.org/view.php?id=CVE-2024-30251
02 May 2024 — aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. • http://www.openwall.com/lists/oss-security/2024/05/02/4 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27306 – aiohttp vulnerable to XSS on index pages for static file handling
https://notcve.org/view.php?id=CVE-2024-27306
18 Apr 2024 — aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. • https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000519
https://notcve.org/view.php?id=CVE-2018-1000519
26 Jun 2018 — aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie). aio-libs aiohttp-session contiene una vulnerabilidad de fijación de sesión en la función load_session en RedisStorage... • https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L60 • CWE-384: Session Fixation •