Debian Python-Aiohttp vulnerabilities

CVE-2024-42367 [MEDIUM] CVE-2024-42367: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from

CVE-2024-23829 [MEDIUM] CVE-2024-23829: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could

CVE-2024-27306 [MEDIUM] CVE-2024-27306: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `sh

CVE-2024-52304 [MEDIUM] CVE-2024-52304: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSI

CVE-2024-23334 [MEDIUM] CVE-2024-23334: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symli

CVE-2024-52303 [HIGH] CVE-2024-52303: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be abl

CVE-2023-49081 [HIGH] CVE-2023-49081: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This iss

CVE-2023-49082 [MEDIUM] CVE-2023-49082: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of t

CVE-2023-47627 [MEDIUM] CVE-2023-47627: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been includ

CVE-2023-37276 [MEDIUM] CVE-2023-37276: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Applic

CVE-2023-47641 [LOW] CVE-2023-47641: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of tw

CVE-2021-21330 [LOW] CVE-2021-21330: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ... aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This se