Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-49082

Опубликовано: 29 нояб. 2023
Источник: redhat
CVSS3: 5.3

Описание

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

A flaw was found in Aiohttp. This issue may allow an attacker to send a crafted HTTP request to the server and smuggle arbitrary HTTP headers due to improper validation of HTTP requests during the processing of the HTTP request method. By exploiting this flaw, an attacker can manipulate HTTP requests and potentially poison the HTTP cache for phishing attacks.

Отчет

The vulnerability only occurs if the attacker can control the HTTP method (GET, POST etc.) of the request.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 1.2aiohttpOut of support scope
Red Hat Ansible Automation Platform 2.4 for RHEL 8python3x-aiohttpFixedRHSA-2024:105729.02.2024
Red Hat Ansible Automation Platform 2.4 for RHEL 9python-aiohttpFixedRHSA-2024:105729.02.2024
Red Hat Satellite 6.15 for RHEL 8python-aiohttpFixedRHSA-2024:201023.04.2024
Red Hat Satellite 6.15 for RHEL 8python-aiohttpFixedRHSA-2024:201023.04.2024
RHUI 4 for RHEL 8python-aiohttpFixedRHSA-2024:187818.04.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-20
Дефект:
CWE-93
https://bugzilla.redhat.com/show_bug.cgi?id=2252248aiohttp: CRLF injection if user controls the HTTP method using aiohttp client

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-49082

CVSS3: 5.3
ubuntu
больше 1 года назад

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

nvd логотип

CVE-2023-49082

CVSS3: 5.3
nvd
больше 1 года назад

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

debian логотип

CVE-2023-49082

CVSS3: 5.3
debian
больше 1 года назад

aiohttp is an asynchronous HTTP client/server framework for asyncio an ...

suse-cvrf логотип

SUSE-SU-2024:0168-1

suse-cvrf
больше 1 года назад

Security update for python-aiohttp

github логотип

GHSA-qvrw-v9rv-5rjx

CVSS3: 5.3
github
больше 1 года назад

aiohttp's ClientSession is vulnerable to CRLF injection via method

5.3 Medium

CVSS3