CVE-2023-37276

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-37276

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37276.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-37276

Aliases

Related

Published

2023-07-19T20:15:10Z

Modified

2024-09-18T03:24:05.550675Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

References

Affected packages

Debian:11 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.4-1

3.7.4-2

3.8.1-1

3.8.1-2

3.8.1-3

3.8.1-4

3.8.1-5

3.8.3-1

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.8.5-1

Affected versions

3.*

3.8.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/aio-libs/aiohttp

Affected ranges

Type: GIT
Repo: https://github.com/aio-libs/aiohttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40

Affected versions

0.*

0.15.2

0.8.2

1.*

1.3.0

2.*

2.0.0

2.0.0rc1

2.0.1

2.0.2

2.0.3

2.0.3-1

2.0.4

2.0.5

2.0.6

2.0.7

4v0.*

4v0.21.6

v.*

v.0.6.5

v0.*

v0.1

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.16.6

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.19.0

v0.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.21.0a0

v0.21.0a1

v0.21.0a2

v0.21.1

v0.21.2

v0.21.3

v0.21.4

v0.21.5

v0.21.6

v0.22.0

v0.22.0b0

v0.22.0b1

v0.22.0b2

v0.22.0b3

v0.22.0b4

v0.22.0b5

v0.22.0b6

v0.22.1

v0.22.2

v0.22.3

v0.22.4

v0.22.5

v0.3

v0.4

v0.4.1

v0.4.2

v0.5.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.8.0

v0.8.1

v0.8.3

v0.8.4

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.2.0

v2.*

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.3.0

v2.3.0a1

v2.3.0a2

v2.3.0a3

v2.3.0a4

v2.3.1

v2.3.10

v2.3.1a1

v2.3.2

v2.3.2b1

v2.3.2b2

v2.3.2b3

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.0b0

v3.0.0b1

v3.0.0b2

v3.0.0b3

v3.0.0b4

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.1b1

v3.3.2

v3.3.2a0

v3.4.0

v3.4.0a0

v3.4.0a3

v3.4.0b1

v3.4.0b2

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.5.0

v3.5.0a1

v3.5.0b1

v3.5.0b2

v3.5.0b3

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.6.0

v3.6.0a0

v3.6.0a1

v3.6.0a10

v3.6.0a11

v3.6.0a12

v3.6.0a2

v3.6.0a3

v3.6.0a4

v3.6.0a5

v3.6.0a6

v3.6.0a7

v3.6.0a8

v3.6.0a9

v3.6.0b0

v3.6.1

v3.6.1b3

v3.6.1b4

v3.6.2

v3.6.2a1

v3.6.2a2

v3.7.0

v3.7.0b0

v3.7.0b1

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.4.post0

v3.8.0

v3.8.1

v3.8.2

v3.8.2a0

v3.8.3

v3.8.4