CVE-2023-47641

14.11.2023, 21:15

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.

HTTP Request/Response Smuggling

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.4 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
GitHub_M	CNA	3.4 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 44%

Vendor	Product	Version
aiohttp	aiohttp	𝑥 < 3.8.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-aiohttp

bullseye	no-dsa
buster	no-dsa
bookworm	3.8.4-1 fixed
bookworm (security)	3.8.4-1+deb12u1 fixed
trixie	3.10.10-2 fixed
sid	3.10.11-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-aiohttp

oracular	not-affected
noble	not-affected
mantic	not-affected
lunar	not-affected
jammy	not-affected
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References

https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j

https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html