Описание
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
A flaw was found in aiohttp. A remote attacker can craft a malicious request that, when processed by an aiohttp server using the Request.post() method, causes the server's memory to fill uncontrollably. This can lead to a Denial of Service (DoS) by freezing the server, making it unavailable to legitimate users.
Отчет
This vulnerability is rated Moderate for Red Hat products. A flaw in aiohttp allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted POST request to an aiohttp server that utilizes the Request.post() method. This can lead to uncontrolled memory consumption, freezing the server and making the server unavailable.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | rhmtc/openshift-migration-hook-runner-rhel8 | Affected | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag-rhel9 | Affected | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Affected | ||
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
AIOHTTP vulnerable to denial of service through large payloads
EPSS
6.8 Medium
CVSS3