Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-30251

Опубликовано: 02 мая 2024
Источник: debian
EPSS Низкий

Описание

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python-aiohttpfixed3.9.5-1package
python-aiohttppostponedbusterpackage

Примечания

  • https://www.openwall.com/lists/oss-security/2024/05/02/4

  • https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84

  • Fixed by: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 (v3.9.4)

  • Followup: https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 (v3.9.5)

  • Followup: https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 (v3.9.5)

EPSS

Процентиль: 21%
0.00066
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2024-30251

CVSS3: 7.5
ubuntu
около 1 года назад

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

redhat логотип

CVE-2024-30251

CVSS3: 7.5
redhat
около 1 года назад

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

nvd логотип

CVE-2024-30251

CVSS3: 7.5
nvd
около 1 года назад

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

suse-cvrf логотип

SUSE-SU-2024:4328-1

suse-cvrf
6 месяцев назад

Security update for python-aiohttp

suse-cvrf логотип

SUSE-SU-2024:4327-1

suse-cvrf
6 месяцев назад

Security update for python-aiohttp

EPSS

Процентиль: 21%
0.00066
Низкий