CVE-2023-47641 — HTTP Request Smuggling in Aiohttp

CWE-444 — HTTP Request Smuggling7 documents6 sources

Severity

6.5MEDIUMNVD

CNA3.4GHSA6.1OSV6.1

EPSS

0.3%

top 45.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aio-libs Aiohttp Aiohttp

Timeline

PublishedNov 14

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶NVDaiohttp/aiohttp< 3.8.0

▶PyPIaiohttp/aiohttp< 3.8.0

▶CVEListV5aio-libs/aiohttp< 3.8.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks↗2023-11-14

▶

OSV

CVE-2023-47641: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python↗2023-11-14

▶

CVEList

Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp↗2023-11-14

▶

OSV

Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks↗2023-11-14

▶

📋Vendor Advisories

Red Hat

python-aiohttp: inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding`↗2023-11-14

▶

Debian

CVE-2023-47641: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...↗2023

▶