PyPi: Aiohttp

CVE-2023-49081

Safety vulnerability ID: 62582

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 30, 2023 Updated at Apr 16, 2024

Scan your Python projects for vulnerabilities →

Advisory

Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

Affected package

aiohttp

Latest version: 3.9.5

Async http client/server framework (asyncio)

Affected versions

Fixed versions

Vulnerability changelog

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. See CVE-2023-49081.

MISC:https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e: https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
MISC:https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.3

CVSS v3 Details

MEDIUM 5.3

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): LOW
Availability Availability (A): NONE