CVE-2024-52303

18.11.2024, 20:15

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Debian Releases

Debian Product

Codename

python-aiohttp

bullseye	3.7.4-1 not-affected
bookworm	3.8.4-1+deb12u1 not-affected
bullseye (security)	3.7.4-1+deb11u1 fixed
bookworm (security)	3.8.4-1+deb12u1 fixed
sid	3.11.16-1 fixed
trixie	3.11.16-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-aiohttp

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-772 - Missing Release of Resource after Effective Lifetime
The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

References

https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8