CVE-2023-49081

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e	Exploit Third Party Advisory
https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
https://github.com/aio-libs/aiohttp/pull/7835/files
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*

History

29 Jan 2024, 14:15

Type	Values Removed	Values Added
References		() https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b - () https://github.com/aio-libs/aiohttp/pull/7835/files -

05 Dec 2023, 17:39

Type	Values Removed	Values Added
CPE		cpe:2.3:a:aiohttp:aiohttp::::::::
CWE		NVD-CWE-Other
References	~~() https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 -~~	() https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 - Exploit, Vendor Advisory
References	~~() https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e -~~	() https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

30 Nov 2023, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-30 07:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-49081

Mitre link : CVE-2023-49081

CVE.ORG link : CVE-2023-49081

JSON object : View

Products Affected

aiohttp

aiohttp

CWE

NVD-CWE-Other CWE-20

Improper Input Validation

{"id": "CVE-2023-49081", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}]}, "published": "2023-11-30T07:15:08.723", "references": [{"url": "https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b", "source": "security-advisories@github.com"}, {"url": "https://github.com/aio-libs/aiohttp/pull/7835/files", "source": "security-advisories@github.com"}, {"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0."}, {"lang": "es", "value": "aiohttp es un framework cliente/servidor HTTP as\u00edncrono para asyncio y Python. Una validaci\u00f3n incorrecta hizo posible que un atacante modificara la solicitud HTTP (por ejemplo, para insertar un nuevo encabezado) o creara una nueva solicitud HTTP si el atacante controla la versi\u00f3n HTTP. La vulnerabilidad s\u00f3lo ocurre si el atacante puede controlar la versi\u00f3n HTTP de la solicitud. Este problema se solucion\u00f3 en la versi\u00f3n 3.9.0."}], "lastModified": "2024-01-29T14:15:08.373", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B601D31B-56AB-4C39-8CC0-12CFA373E53A", "versionEndExcluding": "3.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}