CVE-2023-49081

aiohttp's ClientSession is vulnerable to CRLF injection via version

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

aiohttp es un framework cliente/servidor HTTP asíncrono para asyncio y Python. Una validación incorrecta hizo posible que un atacante modificara la solicitud HTTP (por ejemplo, para insertar un nuevo encabezado) o creara una nueva solicitud HTTP si el atacante controla la versión HTTP. La vulnerabilidad sólo ocurre si el atacante puede controlar la versión HTTP de la solicitud. Este problema se solucionó en la versión 3.9.0.

A flaw was found in the python-aiohttp package. This issue could allow a remote attacker to modify an existing HTTP request or create a new request that could have minor confidentiality or integrity impacts.

Multiple security vulnerabilities were discovered in python-aiohttp, a HTTP client/server for asyncio, which could result in denial of service, directory traversal, CRLF injection or request smuggling.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-21 CVE Reserved
2023-11-30 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (6)

URL	Tag	Source
https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b	X_refsource_misc
https://github.com/aio-libs/aiohttp/pull/7835/files	X_refsource_misc

URL	Date	SRC
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e	2024-08-02
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2	2024-08-02

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-49081	2024-04-23
https://bugzilla.redhat.com/show_bug.cgi?id=2252235	2024-04-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Aiohttp Search vendor "Aiohttp"		Aiohttp Search vendor "Aiohttp" for product "Aiohttp"				< 3.9.0 Search vendor "Aiohttp" for product "Aiohttp" and version " < 3.9.0"		-		Affected