Описание
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.
A flaw was found in aiohttp, an asynchronous HTTP client/server framework for Python. A remote attacker could exploit this vulnerability by sending requests containing non-ASCII characters to the Python HTTP parser. This could lead to a request smuggling attack, allowing the attacker to bypass certain firewall or proxy protections, particularly when a pure Python version of AIOHTTP is in use or AIOHTTP_NO_EXTENSIONS is enabled.
Отчет
This vulnerability is rated Moderate for Red Hat products. The flaw in aiohttp's HTTP parser allows request smuggling via non-ASCII characters. Exploitation is possible only when a pure Python version of aiohttp is in use (i.e., without C extensions) or when the AIOHTTP_NO_EXTENSIONS environment variable is enabled.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | rhmtc/openshift-migration-hook-runner-rhel8 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
AIOHTTP's unicode processing of header values could cause parsing discrepancies
EPSS
5.4 Medium
CVSS3