CVE-2021-21330 — Open Redirect in Aiohttp

CWE-601 — Open Redirect CWE-444 — HTTP Request Smuggling9 documents7 sources

Severity

6.1MEDIUMNVD

CNA3.1

EPSS

0.5%

top 34.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aio-libs Aiohttp Aiohttp Debian Linux +1 more

Timeline

PublishedFeb 26

Latest updateNov 14

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDaiohttp/aiohttp< 3.7.4

▶PyPIaiohttp/aiohttp< 3.8.0+1

▶CVEListV5aio-libs/aiohttp< 3.7.4

Also affects: Debian Linux 10.0, Fedora 33, 34

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks↗2023-11-14

▶

OSV

CVE-2021-21330: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python↗2021-02-26

▶

OSV

`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)↗2021-02-26

▶

GHSA

`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)↗2021-02-26

▶

CVEList

Open redirect vulnerability in aiohttp↗2021-02-26

▶

📋Vendor Advisories

Ubuntu

AIOHTTP vulnerability↗2022-04-21

▶

Red Hat

python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware↗2021-02-25

▶

Debian

CVE-2021-21330: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...↗2021

▶