Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware
middleware.
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
[pip install aiohttp >= 3.7.4
]
If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware
in your applications.
If you have any questions or comments about this advisory: * Open an issue in the aiohttp repo * Email us at wk+aio-libs-security@sydorenko.org.ua and/or andrew.svetlov+aio-libs-security@gmail.com
Credit: [Jelmer Vernooij] and [Beast Glatisant].
{ "nvd_published_at": "2021-02-26T03:15:00Z", "cwe_ids": [ "CWE-601" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-02-26T02:11:40Z" }