GHSA-27mf-ghqm-j3j8
Vulnerability from github
Published
2024-11-18 21:02
Modified
2024-11-19 20:48
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
Details
Summary
A memory leak can occur when a request produces a MatchInfoError
. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError
producing a unique cache entry.
Impact
If the user is making use of any middlewares with aiohttp.web
then it is advisable to upgrade immediately.
An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.
Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "aiohttp" }, "ranges": [ { "events": [ { "introduced": "3.10.6" }, { "fixed": "3.10.11" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-52303" ], "database_specific": { "cwe_ids": [ "CWE-772" ], "github_reviewed": true, "github_reviewed_at": "2024-11-18T21:02:17Z", "nvd_published_at": "2024-11-18T20:15:06Z", "severity": "MODERATE" }, "details": "### Summary\n\nA memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry.\n\n### Impact\n\nIf the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately.\n\nAn attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936", "id": "GHSA-27mf-ghqm-j3j8", "modified": "2024-11-19T20:48:51Z", "published": "2024-11-18T21:02:17Z", "references": [ { "type": "WEB", "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52303" }, { "type": "WEB", "url": "https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936" }, { "type": "PACKAGE", "url": "https://github.com/aio-libs/aiohttp" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method" }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.