pysec - pysec-2023-251

pysec-2023-251

Vulnerability from pysec

Published

2023-11-29 20:15

Modified

2024-01-29 16:22

Severity

5.3 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aiohttp",
        "purl": "pkg:pypi/aiohttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "e4ae01c2077d2cfa116aa82e4ff6866857f7c466"
            }
          ],
          "repo": "https://github.com/aio-libs/aiohttp",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.11.0",
        "0.12.0",
        "0.13.0",
        "0.13.1",
        "0.14.0",
        "0.14.1",
        "0.14.2",
        "0.14.3",
        "0.14.4",
        "0.15.0",
        "0.15.1",
        "0.15.2",
        "0.15.3",
        "0.16.0",
        "0.16.1",
        "0.16.2",
        "0.16.3",
        "0.16.4",
        "0.16.5",
        "0.16.6",
        "0.17.0",
        "0.17.1",
        "0.17.2",
        "0.17.3",
        "0.17.4",
        "0.18.0",
        "0.18.1",
        "0.18.2",
        "0.18.3",
        "0.18.4",
        "0.19.0",
        "0.2",
        "0.20.0",
        "0.20.1",
        "0.20.2",
        "0.21.0",
        "0.21.1",
        "0.21.2",
        "0.21.4",
        "0.21.5",
        "0.21.6",
        "0.22.0",
        "0.22.0a0",
        "0.22.0b0",
        "0.22.0b1",
        "0.22.0b2",
        "0.22.0b3",
        "0.22.0b4",
        "0.22.0b5",
        "0.22.0b6",
        "0.22.1",
        "0.22.2",
        "0.22.3",
        "0.22.4",
        "0.22.5",
        "0.3",
        "0.4",
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.4.4",
        "0.5.0",
        "0.6.0",
        "0.6.1",
        "0.6.2",
        "0.6.3",
        "0.6.4",
        "0.6.5",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.5",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.6",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "2.0.0",
        "2.0.0rc1",
        "2.0.1",
        "2.0.2",
        "2.0.3",
        "2.0.4",
        "2.0.5",
        "2.0.6",
        "2.0.7",
        "2.1.0",
        "2.2.0",
        "2.2.1",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.3.0",
        "2.3.0a1",
        "2.3.0a2",
        "2.3.0a3",
        "2.3.0a4",
        "2.3.1",
        "2.3.10",
        "2.3.1a1",
        "2.3.2",
        "2.3.2b2",
        "2.3.2b3",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.6",
        "2.3.7",
        "2.3.8",
        "2.3.9",
        "3.0.0",
        "3.0.0b0",
        "3.0.0b1",
        "3.0.0b2",
        "3.0.0b3",
        "3.0.0b4",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "3.0.5",
        "3.0.6",
        "3.0.7",
        "3.0.8",
        "3.0.9",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.1.3",
        "3.2.0",
        "3.2.1",
        "3.3.0",
        "3.3.0a0",
        "3.3.1",
        "3.3.2",
        "3.3.2a0",
        "3.4.0",
        "3.4.0a0",
        "3.4.0a3",
        "3.4.0b1",
        "3.4.0b2",
        "3.4.1",
        "3.4.2",
        "3.4.3",
        "3.4.4",
        "3.5.0",
        "3.5.0a1",
        "3.5.0b1",
        "3.5.0b2",
        "3.5.0b3",
        "3.5.1",
        "3.5.2",
        "3.5.3",
        "3.5.4",
        "3.6.0",
        "3.6.0a0",
        "3.6.0a1",
        "3.6.0a11",
        "3.6.0a12",
        "3.6.0a2",
        "3.6.0a3",
        "3.6.0a4",
        "3.6.0a5",
        "3.6.0a6",
        "3.6.0a7",
        "3.6.0a8",
        "3.6.0a9",
        "3.6.0b0",
        "3.6.1",
        "3.6.1b3",
        "3.6.1b4",
        "3.6.2",
        "3.6.2a0",
        "3.6.2a1",
        "3.6.2a2",
        "3.6.3",
        "3.7.0",
        "3.7.0b0",
        "3.7.0b1",
        "3.7.1",
        "3.7.2",
        "3.7.3",
        "3.7.4",
        "3.7.4.post0",
        "3.8.0",
        "3.8.0a7",
        "3.8.0b0",
        "3.8.1",
        "3.8.2",
        "3.8.3",
        "3.8.4",
        "3.8.5",
        "3.8.6",
        "3.9.0b0",
        "3.9.0b1",
        "3.9.0rc0"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49082",
    "GHSA-qvrw-v9rv-5rjx"
  ],
  "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.",
  "id": "PYSEC-2023-251",
  "modified": "2024-01-29T16:22:26.513672+00:00",
  "published": "2023-11-29T20:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"
    },
    {
      "type": "EVIDENCE",
      "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/pull/7806/files"
    },
    {
      "type": "FIX",
      "url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

ghsa-qvrw-v9rv-5rjx

Vulnerability from github

Published

2023-11-27 23:17

Modified

2024-09-03 21:38

Severity

5.3 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.9 (Medium) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

aiohttp's ClientSession is vulnerable to CRLF injection via method

Details

Summary

Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.

Details

The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.

Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.

PoC

A minimal example can be found here: https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

Impact

If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Workaround

If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aiohttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-27T23:17:24Z",
    "nvd_published_at": "2023-11-29T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nImproper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.\n\n### Details\nThe vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.\n\nPrevious releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.\n\n### PoC\nA minimal example can be found here:\nhttps://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b\n\n### Impact\nIf the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).\n\n### Workaround\nIf unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).\n\nPatch: https://github.com/aio-libs/aiohttp/pull/7806/files",
  "id": "GHSA-qvrw-v9rv-5rjx",
  "modified": "2024-09-03T21:38:56Z",
  "published": "2023-11-27T23:17:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/pull/7806/files"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aio-libs/aiohttp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "aiohttp\u0027s ClientSession is vulnerable to CRLF injection via method"
}

cve-2023-49082

Vulnerability from cvelistv5

Published

2023-11-29 20:07

Modified

2024-08-02 21:46

Severity

5.3 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

aiohttp's ClientSession is vulnerable to CRLF injection via method

References

URL	Tags
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx	x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/pull/7806/files	x_refsource_MISC
https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466	x_refsource_MISC
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b	x_refsource_MISC

Impacted products

Vendor	Product
aio-libs	aiohttp

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:46:29.121Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"
          },
          {
            "name": "https://github.com/aio-libs/aiohttp/pull/7806/files",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aio-libs/aiohttp/pull/7806/files"
          },
          {
            "name": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466"
          },
          {
            "name": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "aiohttp",
          "vendor": "aio-libs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-29T14:11:02.945Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"
        },
        {
          "name": "https://github.com/aio-libs/aiohttp/pull/7806/files",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aio-libs/aiohttp/pull/7806/files"
        },
        {
          "name": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466"
        },
        {
          "name": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"
        }
      ],
      "source": {
        "advisory": "GHSA-qvrw-v9rv-5rjx",
        "discovery": "UNKNOWN"
      },
      "title": "aiohttp\u0027s ClientSession is vulnerable to CRLF injection via method"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-49082",
    "datePublished": "2023-11-29T20:07:29.341Z",
    "dateReserved": "2023-11-21T18:57:30.428Z",
    "dateUpdated": "2024-08-02T21:46:29.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

pysec-2023-251

Vulnerability from pysec

ghsa-qvrw-v9rv-5rjx

Vulnerability from github

Summary

Details

PoC

Impact

Workaround

cve-2023-49082

Vulnerability from cvelistv5

Tags