CVE-2023-47627
published 2023-11-14CVE-2023-47627: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which…
high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aio-libs | aiohttp | < 3.9.2 | 3.9.2 |
| aiohttp | aiohttp | < 3.9.2 | 3.9.2 |
| aiohttp | aiohttp | < 3.8.6 | 3.8.6 |
| aiohttp | aiohttp | >= 0 < 3.8.6 | 3.8.6 |
| debian | python-aiohttp | < python-aiohttp 3.8.4-1+deb12u1 (bookworm) | python-aiohttp 3.8.4-1+deb12u1 (bookworm) |
| debian | python-aiohttp | < python-aiohttp 3.7.4-1+deb11u1 (bullseye) | python-aiohttp 3.7.4-1+deb11u1 (bullseye) |
| fedoraproject | fedora | — | — |
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH