CVE-2024-23829

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23829

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23829.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23829

Aliases

Related

Published

2024-01-29T23:15:08Z

Modified

2024-09-18T03:25:02.098369Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

[none]

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

References

Affected packages

Debian:11 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.4-1

3.7.4-2

3.8.1-1

3.8.1-2

3.8.1-3

3.8.1-4

3.8.1-5

3.8.3-1

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.9.5-1

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/aio-libs/aiohttp

Affected ranges

Type: GIT
Repo: https://github.com/aio-libs/aiohttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

33ccdfb0a12690af5bb49bda2319ec0907fa7827

Affected versions

0.*

0.15.2

0.8.2

1.*

1.3.0

2.*

2.0.0

2.0.0rc1

2.0.1

2.0.2

2.0.3

2.0.3-1

2.0.4

2.0.5

2.0.6

2.0.7

4v0.*

4v0.21.6

v.*

v.0.6.5

v0.*

v0.1

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.16.6

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.19.0

v0.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.21.0a0

v0.21.0a1

v0.21.0a2

v0.21.1

v0.21.2

v0.21.3

v0.21.4

v0.21.5

v0.21.6

v0.22.0

v0.22.0b0

v0.22.0b1

v0.22.0b2

v0.22.0b3

v0.22.0b4

v0.22.0b5

v0.22.0b6

v0.22.1

v0.22.2

v0.22.3

v0.22.4

v0.22.5

v0.3

v0.4

v0.4.1

v0.4.2

v0.5.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.8.0

v0.8.1

v0.8.3

v0.8.4

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.2.0

v2.*

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.3.0

v2.3.0a1

v2.3.0a2

v2.3.0a3

v2.3.0a4

v2.3.1

v2.3.10

v2.3.1a1

v2.3.2

v2.3.2b1

v2.3.2b2

v2.3.2b3

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.0b0

v3.0.0b1

v3.0.0b2

v3.0.0b3

v3.0.0b4

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.1b1

v3.3.2

v3.3.2a0

v3.4.0

v3.4.0a0

v3.4.0a3

v3.4.0b1

v3.4.0b2

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.5.0

v3.5.0a1

v3.5.0b1

v3.5.0b2

v3.5.0b3

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.6.0

v3.6.0a0

v3.6.0a1

v3.6.0a10

v3.6.0a11

v3.6.0a12

v3.6.0a2

v3.6.0a3

v3.6.0a4

v3.6.0a5

v3.6.0a6

v3.6.0a7

v3.6.0a8

v3.6.0a9

v3.6.0b0

v3.6.1

v3.6.1b3

v3.6.1b4

v3.6.2

v3.6.2a1

v3.6.2a2

v3.7.0

v3.7.0b0

v3.7.0b1

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.4.post0

v3.8.0

v3.8.1

v3.8.2

v3.8.2a0

v3.8.3

v3.9.0

v3.9.0b0

v3.9.0b1

v3.9.0rc0

v4.*

v4.0.0a0

v4.0.0a1