CVE-2023-49082

EUVD-2023-0007
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Affected Products (NVD)
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bookworm
vulnerable
bookworm (security)
3.8.4-1+deb12u1
fixed
bullseye
no-dsa
buster
postponed
sid
3.10.11-1
fixed
trixie
3.10.10-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
https://github.com/aio-libs/aiohttp/pull/7806/files
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
https://github.com/aio-libs/aiohttp/pull/7806/files
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A/