Описание
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
A flaw was found in the aiohttp package. A memory leak can occur in certain configurations when a request produces a MatchInfoError. This issue was caused by adding an entry to a cache on each request due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.
Отчет
This vulnerability in aiohttp is of important severity rather than moderate because it can lead to a denial-of-service (DoS) attack via memory exhaustion. An attacker can exploit the memory leak by sending a large number of crafted requests that trigger the MatchInfoError, causing unique cache entries to accumulate without being cleared. As a result, the server's memory resources are gradually depleted, potentially leading to system crashes or performance degradation. The impact can be significant, especially in high-traffic environments where attackers can send hundreds of thousands or millions of requests, making it a critical issue for any service relying on aiohttp for handling web requests, particularly those using middlewares.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 1.2 | ansible-tower | Not affected | ||
| Red Hat Ansible Automation Platform 2 | aap-cloud-metrics-collector-container | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-dellemc-openmanage-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/platform-resource-runner-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/ansible-dev-tools-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | automation-controller | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python-aiohttp | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
aiohttp is an asynchronous HTTP client/server framework for asyncio an ...
aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
Уязвимость HTTP-клиента aiohttp, связанная с неосвобождением ресурса после истечения действительного срока его эксплуатирования, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3