Описание
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.
An open redirect flaw was found in python-aiohttp. This flaw allows a remote, unauthenticated attacker to trick users into visiting a malicious webpage, disguised as a legitimate webpage and affects applications using the normalize_path_middleware functionality. The highest threat from this vulnerability is to confidentiality and integrity.
Отчет
Red Hat Satellite version 6.7 onward (mostly pulp part) does ship an affected version of aiohttp, however, is not vulnerable since the product code does not use the normalize_path_middleware function, which the attacker may use for an attack. We may update the python-aiohttp dependency in a future release.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | aiohttp | Not affected | ||
| Red Hat Ansible Automation Platform 1.2 | python-aiohttp | Not affected | ||
| Red Hat Ansible Tower 3 | aiohttp | Not affected | ||
| Red Hat Satellite 6.10 for RHEL 7 | python-aiohttp | Fixed | RHSA-2021:4702 | 16.11.2021 |
| Red Hat Satellite 6.10 for RHEL 7 | python-aiohttp | Fixed | RHSA-2021:4702 | 16.11.2021 |
Показывать по
Дополнительная информация
Статус:
8.2 High
CVSS3
Связанные уязвимости
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
aiohttp is an asynchronous HTTP client/server framework for asyncio an ...
Recommended update for python-aiohttp, python-typing_extensions
8.2 High
CVSS3