PT-2023-4948 · Pypi+3 · Aiohttp+3

Sethmlarson

·

Publicado

2023-07-19

·

Atualizado

2024-12-16

·

CVE-2023-37276

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions aiohttp versions 3.8.4 and earlier
Description The issue is related to the handling of HTTP requests in aiohttp, which can lead to HTTP request smuggling when a crafted HTTP request is sent. This affects users of aiohttp as an HTTP server, but not those using it as an HTTP client library. The vulnerability is addressed in version 3.8.5.
Recommendations For aiohttp versions 3.8.4 and earlier, upgrade to version 3.8.5 to resolve the issue. As a temporary workaround for users unable to upgrade, reinstall aiohttp using AIOHTTP NO EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation.

Exploit

Correção

DoS

HTTP Request/Response Smuggling

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-444

Identificadores relacionados

ALT-PU-2023-5594
ALT-PU-2024-16702
BDU:2023-05462
CVE-2023-37276
GHSA-45C4-8WX5-QW6W
PYSEC-2023-120
RHSA-2024:1878
RHSA-2024:2010

Produtos afetados

Alt Linux
Debian
Red Os
Aiohttp