CVE-2023-47641

Name of the Vulnerable Software and Affected Versions aiohttp versions prior to 3.8.0

Description The issue is related to the inconsistent interpretation of the HTTP protocol, specifically when both Content-Length and Transfer-Encoding headers are present. This can lead to incorrect interpretation by entities parsing the HTTP, allowing for socket poisoning. A possible scenario involves a reverse proxy setup with aiohttp as the backend, where an attacker can bypass proxy rules, pass authentication headers, or combine with an Open Redirect to redirect users to another website. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 3.8.0, upgrade to release 3.8.0 or later to address the security vulnerability. As a temporary workaround, consider restricting the use of the Transfer-Encoding header or disabling the parsing of chunked requests until a patch is applied. Avoid using configurations that accept both Content-Length and Transfer-Encoding headers. Restrict access to sensitive areas of the application to minimize the risk of exploitation.