Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2023-47641
Vulnerability from cvelistv5
Published
2023-11-14 20:44
Modified
2024-08-29 20:18
Severity ?
EPSS score ?
Summary
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"name": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T20:18:44.628858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:18:58.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aiohttp",
"vendor": "aio-libs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T20:44:08.989Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"name": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
}
],
"source": {
"advisory": "GHSA-xx9p-xxvh-7g8j",
"discovery": "UNKNOWN"
},
"title": "Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47641",
"datePublished": "2023-11-14T20:44:08.989Z",
"dateReserved": "2023-11-07T16:57:49.245Z",
"dateUpdated": "2024-08-29T20:18:58.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-47641\",\"sourceIdentifier\":\"[email protected]\",\"published\":\"2023-11-14T21:15:13.713\",\"lastModified\":\"2024-11-21T08:30:35.137\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"aiohttp es un framework cliente/servidor HTTP as\u00edncrono para asyncio y Python. Las versiones afectadas de aiohttp tienen una vulnerabilidad de seguridad relacionada con la interpretaci\u00f3n inconsistente del protocolo http. HTTP/1.1 es un protocolo persistente, si los valores de encabezado Content-Length (CL) y Transfer-Encoding (TE) est\u00e1n presentes, puede llevar a una interpretaci\u00f3n incorrecta de dos entidades que analizan HTTP y podemos envenenar otros sockets con esta interpretaci\u00f3n incorrecta. Una posible Proof-of-Concept (POC) ser\u00eda una configuraci\u00f3n con un proxy inverso (frontend) que acepte encabezados CL y TE y aiohttp como backend. Como aiohttp analiza cualquier cosa con fragmentos, podemos pasar un fragmento123 como TE, la entidad de interfaz ignorar\u00e1 este encabezado y analizar\u00e1 la longitud del contenido. El impacto de esta vulnerabilidad es que es posible eludir cualquier regla de proxy, envenenando los sockets de otros usuarios, como pasar encabezados de autenticaci\u00f3n. Adem\u00e1s, si est\u00e1 presente un redireccionamiento abierto, un atacante podr\u00eda combinarlo para redirigir a usuarios aleatorios a otro sitio web y registrar la solicitud. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 3.8.0 de aiohttp. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"[email protected]\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":3.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4},{\"source\":\"[email protected]\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"[email protected]\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.8.0\",\"matchCriteriaId\":\"A206D0B6-C5CB-4AA9-9C17-C3041A7C42A7\"}]}]}],\"references\":[{\"url\":\"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371\",\"source\":\"[email protected]\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j\",\"source\":\"[email protected]\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j\", \"name\": \"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371\", \"name\": \"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T21:16:42.297Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-47641\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-29T20:18:44.628858Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-29T20:18:50.146Z\"}}], \"cna\": {\"title\": \"Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp\", \"source\": {\"advisory\": \"GHSA-xx9p-xxvh-7g8j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"aio-libs\", \"product\": \"aiohttp\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.8.0\"}]}], \"references\": [{\"url\": \"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j\", \"name\": \"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371\", \"name\": \"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-11-14T20:44:08.989Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-47641\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-29T20:18:58.589Z\", \"dateReserved\": \"2023-11-07T16:57:49.245Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-11-14T20:44:08.989Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
gsd-2023-47641
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-47641",
"id": "GSD-2023-47641"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-47641"
],
"details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"id": "GSD-2023-47641",
"modified": "2023-12-13T01:20:51.800959Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "[email protected]",
"ID": "CVE-2023-47641",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "aiohttp",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 3.8.0"
}
]
}
}
]
},
"vendor_name": "aio-libs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-444",
"lang": "eng",
"value": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j",
"refsource": "MISC",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"name": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371",
"refsource": "MISC",
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
}
]
},
"source": {
"advisory": "GHSA-xx9p-xxvh-7g8j",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.8.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "[email protected]",
"ID": "CVE-2023-47641"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j",
"refsource": "",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"name": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371",
"refsource": "",
"tags": [
"Patch"
],
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5
}
},
"lastModifiedDate": "2023-11-22T22:41Z",
"publishedDate": "2023-11-14T21:15Z"
}
}
}
pysec-2023-247
Vulnerability from pysec
Published
2023-11-14 21:15
Modified
2023-11-22 23:23
Severity ?
Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impacted products
| Name | purl | aiohttp | pkg:pypi/aiohttp |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aiohttp",
"purl": "pkg:pypi/aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "f016f0680e4ace6742b03a70cb0382ce86abe371"
}
],
"repo": "https://github.com/aio-libs/aiohttp",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1",
"0.10.0",
"0.10.1",
"0.10.2",
"0.11.0",
"0.12.0",
"0.13.0",
"0.13.1",
"0.14.0",
"0.14.1",
"0.14.2",
"0.14.3",
"0.14.4",
"0.15.0",
"0.15.1",
"0.15.2",
"0.15.3",
"0.16.0",
"0.16.1",
"0.16.2",
"0.16.3",
"0.16.4",
"0.16.5",
"0.16.6",
"0.17.0",
"0.17.1",
"0.17.2",
"0.17.3",
"0.17.4",
"0.18.0",
"0.18.1",
"0.18.2",
"0.18.3",
"0.18.4",
"0.19.0",
"0.2",
"0.20.0",
"0.20.1",
"0.20.2",
"0.21.0",
"0.21.1",
"0.21.2",
"0.21.4",
"0.21.5",
"0.21.6",
"0.22.0",
"0.22.0a0",
"0.22.0b0",
"0.22.0b1",
"0.22.0b2",
"0.22.0b3",
"0.22.0b4",
"0.22.0b5",
"0.22.0b6",
"0.22.1",
"0.22.2",
"0.22.3",
"0.22.4",
"0.22.5",
"0.3",
"0.4",
"0.4.1",
"0.4.2",
"0.4.3",
"0.4.4",
"0.5.0",
"0.6.0",
"0.6.1",
"0.6.2",
"0.6.3",
"0.6.4",
"0.6.5",
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.8.0",
"0.8.1",
"0.8.2",
"0.8.3",
"0.8.4",
"0.9.0",
"0.9.1",
"0.9.2",
"0.9.3",
"1.0.0",
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.5",
"1.1.0",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.1.5",
"1.1.6",
"1.2.0",
"1.3.0",
"1.3.1",
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"2.0.0",
"2.0.0rc1",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.1.0",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.3.0",
"2.3.0a1",
"2.3.0a2",
"2.3.0a3",
"2.3.0a4",
"2.3.1",
"2.3.10",
"2.3.1a1",
"2.3.2",
"2.3.2b2",
"2.3.2b3",
"2.3.3",
"2.3.4",
"2.3.5",
"2.3.6",
"2.3.7",
"2.3.8",
"2.3.9",
"3.0.0",
"3.0.0b0",
"3.0.0b1",
"3.0.0b2",
"3.0.0b3",
"3.0.0b4",
"3.0.1",
"3.0.2",
"3.0.3",
"3.0.4",
"3.0.5",
"3.0.6",
"3.0.7",
"3.0.8",
"3.0.9",
"3.1.0",
"3.1.1",
"3.1.2",
"3.1.3",
"3.2.0",
"3.2.1",
"3.3.0",
"3.3.0a0",
"3.3.1",
"3.3.2",
"3.3.2a0",
"3.4.0",
"3.4.0a0",
"3.4.0a3",
"3.4.0b1",
"3.4.0b2",
"3.4.1",
"3.4.2",
"3.4.3",
"3.4.4",
"3.5.0",
"3.5.0a1",
"3.5.0b1",
"3.5.0b2",
"3.5.0b3",
"3.5.1",
"3.5.2",
"3.5.3",
"3.5.4",
"3.6.0",
"3.6.0a0",
"3.6.0a1",
"3.6.0a11",
"3.6.0a12",
"3.6.0a2",
"3.6.0a3",
"3.6.0a4",
"3.6.0a5",
"3.6.0a6",
"3.6.0a7",
"3.6.0a8",
"3.6.0a9",
"3.6.0b0",
"3.6.1",
"3.6.1b3",
"3.6.1b4",
"3.6.2",
"3.6.2a0",
"3.6.2a1",
"3.6.2a2",
"3.6.3",
"3.7.0",
"3.7.0b0",
"3.7.0b1",
"3.7.1",
"3.7.2",
"3.7.3",
"3.7.4",
"3.7.4.post0",
"3.8.0a7",
"3.8.0b0"
]
}
],
"aliases": [
"CVE-2023-47641",
"GHSA-xx9p-xxvh-7g8j"
],
"details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"id": "PYSEC-2023-247",
"modified": "2023-11-22T23:23:57.631856+00:00",
"published": "2023-11-14T21:15:00+00:00",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"type": "FIX",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"type": "ADVISORY",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"type": "FIX",
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
suse-su-2023:4909-1
Vulnerability from csaf_suse
Published
2023-12-19 15:01
Modified
2023-12-19 15:01
Summary
Security update for python-aiohttp
Notes
Title of the patch
Security update for python-aiohttp
Description of the patch
This update for python-aiohttp fixes the following issues:
- CVE-2023-47641: Fixed inconsistent interpretation of the http protocol, if
content-length and transport-encoding are in the same header with
transport-encoding value of 'chunked*' (bsc#1217174)
Patchnames
SUSE-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP1-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP2-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP3-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4909,openSUSE-SLE-15.4-2023-4909,openSUSE-SLE-15.5-2023-4909
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-aiohttp",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-aiohttp fixes the following issues:\n\n- CVE-2023-47641: Fixed inconsistent interpretation of the http protocol, if \n content-length and transport-encoding are in the same header with\n transport-encoding value of \u0027chunked*\u0027 (bsc#1217174)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP1-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP2-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP3-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4909,SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4909,openSUSE-SLE-15.4-2023-4909,openSUSE-SLE-15.5-2023-4909",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_4909-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:4909-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20234909-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:4909-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-December/017488.html"
},
{
"category": "self",
"summary": "SUSE Bug 1217174",
"url": "https://bugzilla.suse.com/1217174"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47641 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47641/"
}
],
"title": "Security update for python-aiohttp",
"tracking": {
"current_release_date": "2023-12-19T15:01:47Z",
"generator": {
"date": "2023-12-19T15:01:47Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:4909-1",
"initial_release_date": "2023-12-19T15:01:47Z",
"revision_history": [
{
"date": "2023-12-19T15:01:47Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"product": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"product_id": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64"
}
},
{
"category": "product_version",
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"product": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"product_id": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.i586",
"product": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.i586",
"product_id": "python-aiohttp-doc-3.6.0-150100.3.12.1.i586"
}
},
{
"category": "product_version",
"name": "python3-aiohttp-3.6.0-150100.3.12.1.i586",
"product": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.i586",
"product_id": "python3-aiohttp-3.6.0-150100.3.12.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"product": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"product_id": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"product": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"product_id": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"product": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"product_id": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x"
}
},
{
"category": "product_version",
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"product": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"product_id": "python3-aiohttp-3.6.0-150100.3.12.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"product": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"product_id": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"product": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"product_id": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.s390x"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
},
"product_reference": "python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-47641",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47641"
}
],
"notes": [
{
"category": "general",
"text": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47641",
"url": "https://www.suse.com/security/cve/CVE-2023-47641"
},
{
"category": "external",
"summary": "SUSE Bug 1217174 for CVE-2023-47641",
"url": "https://bugzilla.suse.com/1217174"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.5:python-aiohttp-doc-3.6.0-150100.3.12.1.x86_64",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.aarch64",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.ppc64le",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.s390x",
"openSUSE Leap 15.5:python3-aiohttp-3.6.0-150100.3.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-12-19T15:01:47Z",
"details": "moderate"
}
],
"title": "CVE-2023-47641"
}
]
}
suse-su-2024:0577-1
Vulnerability from csaf_suse
Published
2024-02-21 10:43
Modified
2024-02-21 10:43
Summary
Security update for python-aiohttp, python-time-machine
Notes
Title of the patch
Security update for python-aiohttp, python-time-machine
Description of the patch
This update for python-aiohttp, python-time-machine fixes the following issues:
python-aiohttp was updated to version 3.9.3:
* Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter
when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``)
* Improved test suite handling of paths and temp files to consistently
use pathlib and pytest fixtures.
From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):
* Fixed server-side websocket connection leak.
* Fixed ``web.FileResponse`` doing blocking I/O in the event loop.
* Fixed double compress when compression enabled and compressed file
exists in server file responses.
* Added runtime type check for ``ClientSession`` ``timeout`` parameter.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Improved validation of paths for static resources requests to the server.
* Added support for passing :py:data:`True` to ``ssl`` parameter in
``ClientSession`` while deprecating :py:data:`None`.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Fixed examples of ``fallback_charset_resolver`` function in the
:doc:`client_advanced` document.
* The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs.
* The changelog categorization was made clearer. The contributors can
now mark their fragment files more accurately.
* Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`
section to show how we use ``codecov``.
* Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite.
- Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782
update to 3.9.1:
* Fixed importing aiohttp under PyPy on Windows.
* Fixed async concurrency safety in websocket compressor.
* Fixed ``ClientResponse.close()`` releasing the connection
instead of closing.
* Fixed a regression where connection may get closed during
upgrade. -- by :user:`Dreamsorcerer`
* Fixed messages being reported as upgraded without an Upgrade
header in Python parser. -- by :user:`Dreamsorcerer`
update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)
* Introduced ``AppKey`` for static typing support of
``Application`` storage.
* Added a graceful shutdown period which allows pending tasks
to complete before the application's cleanup is called.
* Added `handler_cancellation`_ parameter to cancel web handler on
client disconnection.
* This (optionally) reintroduces a feature removed in a
previous release.
* Recommended for those looking for an extra level of
protection against denial-of-service attacks.
* Added support for setting response header parameters
``max_line_size`` and ``max_field_size``.
* Added ``auto_decompress`` parameter to
``ClientSession.request`` to override
``ClientSession._auto_decompress``.
* Changed ``raise_for_status`` to allow a coroutine.
* Added client brotli compression support (optional with
runtime check).
* Added ``client_max_size`` to ``BaseRequest.clone()`` to allow
overriding the request body size. -- :user:`anesabml`.
* Added a middleware type alias
``aiohttp.typedefs.Middleware``.
* Exported ``HTTPMove`` which can be used to catch any
redirection request that has a location -- :user:`dreamsorcerer`.
* Changed the ``path`` parameter in ``web.run_app()`` to accept
a ``pathlib.Path`` object.
* Performance: Skipped filtering ``CookieJar`` when the jar is
empty or all cookies have expired.
* Performance: Only check origin if insecure scheme and there
are origins to treat as secure, in
``CookieJar.filter_cookies()``.
* Performance: Used timestamp instead of ``datetime`` to
achieve faster cookie expiration in ``CookieJar``.
* Added support for passing a custom server name parameter to
HTTPS connection.
* Added support for using Basic Auth credentials from
:file:`.netrc` file when making HTTP requests with the
* :py:class:`~aiohttp.ClientSession` ``trust_env`` argument is
set to ``True``. -- by :user:`yuvipanda`.
* Turned access log into no-op when the logger is disabled.
* Added typing information to ``RawResponseMessage``. -- by
:user:`Gobot1234`
* Removed ``async-timeout`` for Python 3.11+ (replaced with
``asyncio.timeout()`` on newer releases).
* Added support for ``brotlicffi`` as an alternative to
``brotli`` (fixing Brotli support on PyPy).
* Added ``WebSocketResponse.get_extra_info()`` to access a
protocol transport's extra info.
* Allow ``link`` argument to be set to None/empty in HTTP 451
exception.
* Fixed client timeout not working when incoming data is always
available without waiting. -- by :user:`Dreamsorcerer`.
* Fixed ``readuntil`` to work with a delimiter of more than one
character.
* Added ``__repr__`` to ``EmptyStreamReader`` to avoid
``AttributeError``.
* Fixed bug when using ``TCPConnector`` with
``ttl_dns_cache=0``.
* Fixed response returned from expect handler being thrown
away. -- by :user:`Dreamsorcerer`
* Avoided raising ``UnicodeDecodeError`` in multipart and in
HTTP headers parsing.
* Changed ``sock_read`` timeout to start after writing has
finished, avoiding read timeouts caused by an unfinished
write. -- by :user:`dtrifiro`
* Fixed missing query in tracing method URLs when using
``yarl`` 1.9+.
* Changed max 32-bit timestamp to an aware datetime object, for
consistency with the non-32-bit one, and to avoid a
``DeprecationWarning`` on Python 3.12.
* Fixed ``EmptyStreamReader.iter_chunks()`` never ending.
* Fixed a rare ``RuntimeError: await wasn't used with future``
exception.
* Fixed issue with insufficient HTTP method and version
validation.
* Added check to validate that absolute URIs have schemes.
* Fixed unhandled exception when Python HTTP parser encounters
unpaired Unicode surrogates.
* Updated parser to disallow invalid characters in header field
names and stop accepting LF as a request line separator.
* Fixed Python HTTP parser not treating 204/304/1xx as an empty
body.
* Ensure empty body response for 1xx/204/304 per RFC 9112 sec
6.3.
* Fixed an issue when a client request is closed before
completing a chunked payload. -- by :user:`Dreamsorcerer`
* Edge Case Handling for ResponseParser for missing reason
value.
* Fixed ``ClientWebSocketResponse.close_code`` being
erroneously set to ``None`` when there are concurrent async
tasks receiving data and closing the connection.
* Added HTTP method validation.
* Fixed arbitrary sequence types being allowed to inject values
via version parameter. -- by :user:`Dreamsorcerer`
* Performance: Fixed increase in latency with small messages
from websocket compression changes.
* Improved Documentation
* Fixed the `ClientResponse.release`'s type in the doc. Changed
from `comethod` to `method`.
* Added information on behavior of base_url parameter in
`ClientSession`.
* Completed ``trust_env`` parameter description to honor
``wss_proxy``, ``ws_proxy`` or ``no_proxy`` env.
* Dropped Python 3.6 support.
* Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`
* Removed support for abandoned ``tokio`` event loop.
* Made ``print`` argument in ``run_app()`` optional.
* Improved performance of ``ceil_timeout`` in some cases.
* Changed importing Gunicorn to happen on-demand, decreasing
import time by ~53%. -- :user:`Dreamsorcerer`
* Improved import time by replacing ``http.server`` with
``http.HTTPStatus``.
* Fixed annotation of ``ssl`` parameter to disallow ``True``.
update to 3.8.6 (bsc#1217181, CVE-2023-47627):
* Security bugfixes
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
pjjw-qhg8-p2p9.
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
gfw2-4jvh-wgfg.
* Added ``fallback_charset_resolver`` parameter in
``ClientSession`` to allow a user-supplied
character set detection function.
Character set detection will no longer be included in 3.9 as
a default. If this feature is needed,
please use `fallback_charset_resolver
the client
* Fixed ``PermissionError`` when ``.netrc`` is unreadable due
to permissions.
* Fixed output of parsing errors
* Fixed sorting in ``filter_cookies`` to use cookie with
longest path.
Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)
Patchnames
SUSE-2024-577,SUSE-SLE-Module-Python3-15-SP5-2024-577,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577,openSUSE-SLE-15.5-2024-577
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-aiohttp, python-time-machine",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-aiohttp, python-time-machine fixes the following issues:\n\npython-aiohttp was updated to version 3.9.3:\n\n* Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter\n when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``)\n* Improved test suite handling of paths and temp files to consistently\n use pathlib and pytest fixtures.\n\nFrom version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):\n\n* Fixed server-side websocket connection leak.\n* Fixed ``web.FileResponse`` doing blocking I/O in the event loop.\n* Fixed double compress when compression enabled and compressed file\n exists in server file responses.\n* Added runtime type check for ``ClientSession`` ``timeout`` parameter.\n* Fixed an unhandled exception in the Python HTTP parser on header lines\n starting with a colon.\n* Improved validation of paths for static resources requests to the server.\n* Added support for passing :py:data:`True` to ``ssl`` parameter in\n ``ClientSession`` while deprecating :py:data:`None`.\n* Fixed an unhandled exception in the Python HTTP parser on header lines\n starting with a colon.\n* Fixed examples of ``fallback_charset_resolver`` function in the\n :doc:`client_advanced` document.\n* The Sphinx setup was updated to avoid showing the empty\n changelog draft section in the tagged release documentation\n builds on Read The Docs.\n* The changelog categorization was made clearer. The contributors can\n now mark their fragment files more accurately.\n* Updated :ref:`contributing/Tests coverage \u003caiohttp-contributing\u003e`\n section to show how we use ``codecov``.\n* Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite.\n\n- Disable broken tests with openssl 3.2 and python \u003c 3.11 bsc#1217782\n\nupdate to 3.9.1:\n\n* Fixed importing aiohttp under PyPy on Windows.\n* Fixed async concurrency safety in websocket compressor.\n* Fixed ``ClientResponse.close()`` releasing the connection\n instead of closing.\n* Fixed a regression where connection may get closed during\n upgrade. -- by :user:`Dreamsorcerer`\n* Fixed messages being reported as upgraded without an Upgrade\n header in Python parser. -- by :user:`Dreamsorcerer`\n\nupdate to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)\n\n* Introduced ``AppKey`` for static typing support of\n ``Application`` storage.\n* Added a graceful shutdown period which allows pending tasks\n to complete before the application\u0027s cleanup is called.\n* Added `handler_cancellation`_ parameter to cancel web handler on\n client disconnection.\n* This (optionally) reintroduces a feature removed in a\n previous release.\n* Recommended for those looking for an extra level of\n protection against denial-of-service attacks.\n* Added support for setting response header parameters\n ``max_line_size`` and ``max_field_size``.\n* Added ``auto_decompress`` parameter to\n ``ClientSession.request`` to override\n ``ClientSession._auto_decompress``.\n* Changed ``raise_for_status`` to allow a coroutine.\n* Added client brotli compression support (optional with\n runtime check).\n* Added ``client_max_size`` to ``BaseRequest.clone()`` to allow\n overriding the request body size. -- :user:`anesabml`.\n* Added a middleware type alias\n ``aiohttp.typedefs.Middleware``.\n* Exported ``HTTPMove`` which can be used to catch any\n redirection request that has a location -- :user:`dreamsorcerer`.\n* Changed the ``path`` parameter in ``web.run_app()`` to accept\n a ``pathlib.Path`` object.\n* Performance: Skipped filtering ``CookieJar`` when the jar is\n empty or all cookies have expired.\n* Performance: Only check origin if insecure scheme and there\n are origins to treat as secure, in\n ``CookieJar.filter_cookies()``.\n* Performance: Used timestamp instead of ``datetime`` to\n achieve faster cookie expiration in ``CookieJar``.\n* Added support for passing a custom server name parameter to\n HTTPS connection.\n* Added support for using Basic Auth credentials from\n :file:`.netrc` file when making HTTP requests with the\n* :py:class:`~aiohttp.ClientSession` ``trust_env`` argument is\n set to ``True``. -- by :user:`yuvipanda`.\n* Turned access log into no-op when the logger is disabled.\n* Added typing information to ``RawResponseMessage``. -- by\n :user:`Gobot1234`\n* Removed ``async-timeout`` for Python 3.11+ (replaced with\n ``asyncio.timeout()`` on newer releases).\n* Added support for ``brotlicffi`` as an alternative to\n ``brotli`` (fixing Brotli support on PyPy).\n* Added ``WebSocketResponse.get_extra_info()`` to access a\n protocol transport\u0027s extra info.\n* Allow ``link`` argument to be set to None/empty in HTTP 451\n exception.\n* Fixed client timeout not working when incoming data is always\n available without waiting. -- by :user:`Dreamsorcerer`.\n* Fixed ``readuntil`` to work with a delimiter of more than one\n character.\n* Added ``__repr__`` to ``EmptyStreamReader`` to avoid\n ``AttributeError``.\n* Fixed bug when using ``TCPConnector`` with\n ``ttl_dns_cache=0``.\n* Fixed response returned from expect handler being thrown\n away. -- by :user:`Dreamsorcerer`\n* Avoided raising ``UnicodeDecodeError`` in multipart and in\n HTTP headers parsing.\n* Changed ``sock_read`` timeout to start after writing has\n finished, avoiding read timeouts caused by an unfinished\n write. -- by :user:`dtrifiro`\n* Fixed missing query in tracing method URLs when using\n ``yarl`` 1.9+.\n* Changed max 32-bit timestamp to an aware datetime object, for\n consistency with the non-32-bit one, and to avoid a\n ``DeprecationWarning`` on Python 3.12.\n* Fixed ``EmptyStreamReader.iter_chunks()`` never ending.\n* Fixed a rare ``RuntimeError: await wasn\u0027t used with future``\n exception.\n* Fixed issue with insufficient HTTP method and version\n validation.\n* Added check to validate that absolute URIs have schemes.\n* Fixed unhandled exception when Python HTTP parser encounters\n unpaired Unicode surrogates.\n* Updated parser to disallow invalid characters in header field\n names and stop accepting LF as a request line separator.\n* Fixed Python HTTP parser not treating 204/304/1xx as an empty\n body.\n* Ensure empty body response for 1xx/204/304 per RFC 9112 sec\n 6.3.\n* Fixed an issue when a client request is closed before\n completing a chunked payload. -- by :user:`Dreamsorcerer`\n* Edge Case Handling for ResponseParser for missing reason\n value.\n* Fixed ``ClientWebSocketResponse.close_code`` being\n erroneously set to ``None`` when there are concurrent async\n tasks receiving data and closing the connection.\n* Added HTTP method validation.\n* Fixed arbitrary sequence types being allowed to inject values\n via version parameter. -- by :user:`Dreamsorcerer`\n* Performance: Fixed increase in latency with small messages\n from websocket compression changes.\n* Improved Documentation\n* Fixed the `ClientResponse.release`\u0027s type in the doc. Changed\n from `comethod` to `method`.\n* Added information on behavior of base_url parameter in\n `ClientSession`.\n* Completed ``trust_env`` parameter description to honor\n ``wss_proxy``, ``ws_proxy`` or ``no_proxy`` env.\n* Dropped Python 3.6 support.\n* Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`\n* Removed support for abandoned ``tokio`` event loop.\n* Made ``print`` argument in ``run_app()`` optional.\n* Improved performance of ``ceil_timeout`` in some cases.\n* Changed importing Gunicorn to happen on-demand, decreasing\n import time by ~53%. -- :user:`Dreamsorcerer`\n* Improved import time by replacing ``http.server`` with\n ``http.HTTPStatus``.\n* Fixed annotation of ``ssl`` parameter to disallow ``True``.\n\nupdate to 3.8.6 (bsc#1217181, CVE-2023-47627):\n\n* Security bugfixes\n* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-\n pjjw-qhg8-p2p9.\n* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-\n gfw2-4jvh-wgfg.\n* Added ``fallback_charset_resolver`` parameter in\n ``ClientSession`` to allow a user-supplied\n character set detection function.\n Character set detection will no longer be included in 3.9 as\n a default. If this feature is needed,\n please use `fallback_charset_resolver\n the client\n* Fixed ``PermissionError`` when ``.netrc`` is unreadable due\n to permissions.\n* Fixed output of parsing errors\n* Fixed sorting in ``filter_cookies`` to use cookie with\n longest path.\n\nRelease 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-577,SUSE-SLE-Module-Python3-15-SP5-2024-577,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577,openSUSE-SLE-15.5-2024-577",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0577-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:0577-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20240577-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:0577-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017982.html"
},
{
"category": "self",
"summary": "SUSE Bug 1217174",
"url": "https://bugzilla.suse.com/1217174"
},
{
"category": "self",
"summary": "SUSE Bug 1217181",
"url": "https://bugzilla.suse.com/1217181"
},
{
"category": "self",
"summary": "SUSE Bug 1217782",
"url": "https://bugzilla.suse.com/1217782"
},
{
"category": "self",
"summary": "SUSE Bug 1219341",
"url": "https://bugzilla.suse.com/1219341"
},
{
"category": "self",
"summary": "SUSE Bug 1219342",
"url": "https://bugzilla.suse.com/1219342"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47627 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47627/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47641 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47641/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-23334 page",
"url": "https://www.suse.com/security/cve/CVE-2024-23334/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-23829 page",
"url": "https://www.suse.com/security/cve/CVE-2024-23829/"
}
],
"title": "Security update for python-aiohttp, python-time-machine",
"tracking": {
"current_release_date": "2024-02-21T10:43:49Z",
"generator": {
"date": "2024-02-21T10:43:49Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:0577-1",
"initial_release_date": "2024-02-21T10:43:49Z",
"revision_history": [
{
"date": "2024-02-21T10:43:49Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"product": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"product_id": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-time-machine-2.13.0-150400.9.3.1.aarch64",
"product": {
"name": "python311-time-machine-2.13.0-150400.9.3.1.aarch64",
"product_id": "python311-time-machine-2.13.0-150400.9.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-150400.10.14.1.i586",
"product": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.i586",
"product_id": "python311-aiohttp-3.9.3-150400.10.14.1.i586"
}
},
{
"category": "product_version",
"name": "python311-time-machine-2.13.0-150400.9.3.1.i586",
"product": {
"name": "python311-time-machine-2.13.0-150400.9.3.1.i586",
"product_id": "python311-time-machine-2.13.0-150400.9.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"product": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"product_id": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-time-machine-2.13.0-150400.9.3.1.ppc64le",
"product": {
"name": "python311-time-machine-2.13.0-150400.9.3.1.ppc64le",
"product_id": "python311-time-machine-2.13.0-150400.9.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"product": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"product_id": "python311-aiohttp-3.9.3-150400.10.14.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-time-machine-2.13.0-150400.9.3.1.s390x",
"product": {
"name": "python311-time-machine-2.13.0-150400.9.3.1.s390x",
"product_id": "python311-time-machine-2.13.0-150400.9.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"product": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"product_id": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-time-machine-2.13.0-150400.9.3.1.x86_64",
"product": {
"name": "python311-time-machine-2.13.0-150400.9.3.1.x86_64",
"product_id": "python311-time-machine-2.13.0-150400.9.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Python 3 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-python3:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64 as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.s390x as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64 as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.s390x as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
},
"product_reference": "python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-47627",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47627"
}
],
"notes": [
{
"category": "general",
"text": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47627",
"url": "https://www.suse.com/security/cve/CVE-2023-47627"
},
{
"category": "external",
"summary": "SUSE Bug 1217181 for CVE-2023-47627",
"url": "https://bugzilla.suse.com/1217181"
},
{
"category": "external",
"summary": "SUSE Bug 1219342 for CVE-2023-47627",
"url": "https://bugzilla.suse.com/1219342"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-02-21T10:43:49Z",
"details": "moderate"
}
],
"title": "CVE-2023-47627"
},
{
"cve": "CVE-2023-47641",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47641"
}
],
"notes": [
{
"category": "general",
"text": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47641",
"url": "https://www.suse.com/security/cve/CVE-2023-47641"
},
{
"category": "external",
"summary": "SUSE Bug 1217174 for CVE-2023-47641",
"url": "https://bugzilla.suse.com/1217174"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-02-21T10:43:49Z",
"details": "moderate"
}
],
"title": "CVE-2023-47641"
},
{
"cve": "CVE-2024-23334",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-23334"
}
],
"notes": [
{
"category": "general",
"text": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option \u0027follow_symlinks\u0027 can be used to determine whether to follow symbolic links outside the static root directory. When \u0027follow_symlinks\u0027 is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-23334",
"url": "https://www.suse.com/security/cve/CVE-2024-23334"
},
{
"category": "external",
"summary": "SUSE Bug 1219341 for CVE-2024-23334",
"url": "https://bugzilla.suse.com/1219341"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-02-21T10:43:49Z",
"details": "important"
}
],
"title": "CVE-2024-23334"
},
{
"cve": "CVE-2024-23829",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-23829"
}
],
"notes": [
{
"category": "general",
"text": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-23829",
"url": "https://www.suse.com/security/cve/CVE-2024-23829"
},
{
"category": "external",
"summary": "SUSE Bug 1219342 for CVE-2024-23829",
"url": "https://bugzilla.suse.com/1219342"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-aiohttp-3.9.3-150400.10.14.1.x86_64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.aarch64",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.ppc64le",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.s390x",
"openSUSE Leap 15.5:python311-aiohttp-3.9.3-150400.10.14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-02-21T10:43:49Z",
"details": "moderate"
}
],
"title": "CVE-2024-23829"
}
]
}
opensuse-su-2024:13691-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python310-aiohttp-3.9.3-2.1 on GA media
Notes
Title of the patch
python310-aiohttp-3.9.3-2.1 on GA media
Description of the patch
These are all security issues fixed in the python310-aiohttp-3.9.3-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13691
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-aiohttp-3.9.3-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-aiohttp-3.9.3-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13691",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13691-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47641 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47641/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49081 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49081/"
}
],
"title": "python310-aiohttp-3.9.3-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13691-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-aiohttp-3.9.3-2.1.aarch64",
"product": {
"name": "python310-aiohttp-3.9.3-2.1.aarch64",
"product_id": "python310-aiohttp-3.9.3-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-2.1.aarch64",
"product": {
"name": "python311-aiohttp-3.9.3-2.1.aarch64",
"product_id": "python311-aiohttp-3.9.3-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-aiohttp-3.9.3-2.1.aarch64",
"product": {
"name": "python312-aiohttp-3.9.3-2.1.aarch64",
"product_id": "python312-aiohttp-3.9.3-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "python39-aiohttp-3.9.3-2.1.aarch64",
"product": {
"name": "python39-aiohttp-3.9.3-2.1.aarch64",
"product_id": "python39-aiohttp-3.9.3-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-aiohttp-3.9.3-2.1.ppc64le",
"product": {
"name": "python310-aiohttp-3.9.3-2.1.ppc64le",
"product_id": "python310-aiohttp-3.9.3-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-2.1.ppc64le",
"product": {
"name": "python311-aiohttp-3.9.3-2.1.ppc64le",
"product_id": "python311-aiohttp-3.9.3-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-aiohttp-3.9.3-2.1.ppc64le",
"product": {
"name": "python312-aiohttp-3.9.3-2.1.ppc64le",
"product_id": "python312-aiohttp-3.9.3-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python39-aiohttp-3.9.3-2.1.ppc64le",
"product": {
"name": "python39-aiohttp-3.9.3-2.1.ppc64le",
"product_id": "python39-aiohttp-3.9.3-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-aiohttp-3.9.3-2.1.s390x",
"product": {
"name": "python310-aiohttp-3.9.3-2.1.s390x",
"product_id": "python310-aiohttp-3.9.3-2.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-2.1.s390x",
"product": {
"name": "python311-aiohttp-3.9.3-2.1.s390x",
"product_id": "python311-aiohttp-3.9.3-2.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-aiohttp-3.9.3-2.1.s390x",
"product": {
"name": "python312-aiohttp-3.9.3-2.1.s390x",
"product_id": "python312-aiohttp-3.9.3-2.1.s390x"
}
},
{
"category": "product_version",
"name": "python39-aiohttp-3.9.3-2.1.s390x",
"product": {
"name": "python39-aiohttp-3.9.3-2.1.s390x",
"product_id": "python39-aiohttp-3.9.3-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-aiohttp-3.9.3-2.1.x86_64",
"product": {
"name": "python310-aiohttp-3.9.3-2.1.x86_64",
"product_id": "python310-aiohttp-3.9.3-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-aiohttp-3.9.3-2.1.x86_64",
"product": {
"name": "python311-aiohttp-3.9.3-2.1.x86_64",
"product_id": "python311-aiohttp-3.9.3-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-aiohttp-3.9.3-2.1.x86_64",
"product": {
"name": "python312-aiohttp-3.9.3-2.1.x86_64",
"product_id": "python312-aiohttp-3.9.3-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "python39-aiohttp-3.9.3-2.1.x86_64",
"product": {
"name": "python39-aiohttp-3.9.3-2.1.x86_64",
"product_id": "python39-aiohttp-3.9.3-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-aiohttp-3.9.3-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.aarch64"
},
"product_reference": "python310-aiohttp-3.9.3-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-aiohttp-3.9.3-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.ppc64le"
},
"product_reference": "python310-aiohttp-3.9.3-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-aiohttp-3.9.3-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.s390x"
},
"product_reference": "python310-aiohttp-3.9.3-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-aiohttp-3.9.3-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.x86_64"
},
"product_reference": "python310-aiohttp-3.9.3-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.aarch64"
},
"product_reference": "python311-aiohttp-3.9.3-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.ppc64le"
},
"product_reference": "python311-aiohttp-3.9.3-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.s390x"
},
"product_reference": "python311-aiohttp-3.9.3-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-aiohttp-3.9.3-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.x86_64"
},
"product_reference": "python311-aiohttp-3.9.3-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-aiohttp-3.9.3-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.aarch64"
},
"product_reference": "python312-aiohttp-3.9.3-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-aiohttp-3.9.3-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.ppc64le"
},
"product_reference": "python312-aiohttp-3.9.3-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-aiohttp-3.9.3-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.s390x"
},
"product_reference": "python312-aiohttp-3.9.3-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-aiohttp-3.9.3-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.x86_64"
},
"product_reference": "python312-aiohttp-3.9.3-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-aiohttp-3.9.3-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.aarch64"
},
"product_reference": "python39-aiohttp-3.9.3-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-aiohttp-3.9.3-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.ppc64le"
},
"product_reference": "python39-aiohttp-3.9.3-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-aiohttp-3.9.3-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.s390x"
},
"product_reference": "python39-aiohttp-3.9.3-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-aiohttp-3.9.3-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.x86_64"
},
"product_reference": "python39-aiohttp-3.9.3-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-47641",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47641"
}
],
"notes": [
{
"category": "general",
"text": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47641",
"url": "https://www.suse.com/security/cve/CVE-2023-47641"
},
{
"category": "external",
"summary": "SUSE Bug 1217174 for CVE-2023-47641",
"url": "https://bugzilla.suse.com/1217174"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-47641"
},
{
"cve": "CVE-2023-49081",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49081"
}
],
"notes": [
{
"category": "general",
"text": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49081",
"url": "https://www.suse.com/security/cve/CVE-2023-49081"
},
{
"category": "external",
"summary": "SUSE Bug 1217684 for CVE-2023-49081",
"url": "https://bugzilla.suse.com/1217684"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python310-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python311-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python312-aiohttp-3.9.3-2.1.x86_64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.aarch64",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.ppc64le",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.s390x",
"openSUSE Tumbleweed:python39-aiohttp-3.9.3-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2023-49081"
}
]
}
fkie_cve-2023-47641
Vulnerability from fkie_nvd
Published
2023-11-14 21:15
Modified
2024-11-21 08:30
Severity ?
3.4 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A206D0B6-C5CB-4AA9-9C17-C3041A7C42A7",
"versionEndExcluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "aiohttp es un framework cliente/servidor HTTP as\u00edncrono para asyncio y Python. Las versiones afectadas de aiohttp tienen una vulnerabilidad de seguridad relacionada con la interpretaci\u00f3n inconsistente del protocolo http. HTTP/1.1 es un protocolo persistente, si los valores de encabezado Content-Length (CL) y Transfer-Encoding (TE) est\u00e1n presentes, puede llevar a una interpretaci\u00f3n incorrecta de dos entidades que analizan HTTP y podemos envenenar otros sockets con esta interpretaci\u00f3n incorrecta. Una posible Proof-of-Concept (POC) ser\u00eda una configuraci\u00f3n con un proxy inverso (frontend) que acepte encabezados CL y TE y aiohttp como backend. Como aiohttp analiza cualquier cosa con fragmentos, podemos pasar un fragmento123 como TE, la entidad de interfaz ignorar\u00e1 este encabezado y analizar\u00e1 la longitud del contenido. El impacto de esta vulnerabilidad es que es posible eludir cualquier regla de proxy, envenenando los sockets de otros usuarios, como pasar encabezados de autenticaci\u00f3n. Adem\u00e1s, si est\u00e1 presente un redireccionamiento abierto, un atacante podr\u00eda combinarlo para redirigir a usuarios aleatorios a otro sitio web y registrar la solicitud. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 3.8.0 de aiohttp. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2023-47641",
"lastModified": "2024-11-21T08:30:35.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "[email protected]",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "[email protected]",
"type": "Primary"
}
]
},
"published": "2023-11-14T21:15:13.713",
"references": [
{
"source": "[email protected]",
"tags": [
"Patch"
],
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
},
{
"source": "[email protected]",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
}
],
"sourceIdentifier": "[email protected]",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "[email protected]",
"type": "Primary"
}
]
}
ghsa-xx9p-xxvh-7g8j
Vulnerability from github
Published
2023-11-14 20:36
Modified
2024-09-04 20:00
Severity ?
Summary
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
Details
Impact
Aiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persistent, if we have both Content-Length(CL) and Transfer-Encoding(TE) it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation.
A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. I can give a Dockerfile with the configuration if you want.
The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect (just like CVE-2021-21330) we can combine it to redirect random users to our website and log the request.
References
- https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-47641"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-14T20:36:25Z",
"nvd_published_at": "2023-11-14T21:15:13Z",
"severity": "LOW"
},
"details": "### Impact\n\nAiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persistent, if we have both Content-Length(CL) and Transfer-Encoding(TE) it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation.\n\nA possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. I can give a Dockerfile with the configuration if you want.\n\nThe impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect (just like CVE-2021-21330) we can combine it to redirect random users to our website and log the request.\n\n\n### References\n\n- https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371",
"id": "GHSA-xx9p-xxvh-7g8j",
"modified": "2024-09-04T20:00:52Z",
"published": "2023-11-14T20:36:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47641"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.8.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-247.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.