Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21330: Merge branch 'ghsa-v6wp-4m6f-gcjg' into master · aio-libs/aiohttp@2545222

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

CVE
#vulnerability#web#google

@@ -361,6 +361,38 @@ async def test_cannot_remove_and_add_slash(self) -> None:

with pytest.raises(AssertionError):

web.normalize_path_middleware(append_slash=True, remove_slash=True)

@pytest.mark.parametrize(

["append_slash", “remove_slash”],

[

(True, False),

(False, True),

(False, False),

],

)

async def test_open_redirects(

self, append_slash: bool, remove_slash: bool, aiohttp_client: Any

) -> None:

async def handle(request: web.Request) -> web.StreamResponse:

pytest.fail(

msg="Security advisory ‘GHSA-v6wp-4m6f-gcjg’ test handler "

"matched unexpectedly",

pytrace=False,

)

app = web.Application(

middlewares=[

web.normalize_path_middleware(

append_slash=append_slash, remove_slash=remove_slash

)

]

)

app.add_routes([web.get("/", handle), web.get("/google.com", handle)])

client = await aiohttp_client(app, server_kwargs={"skip_url_asserts": True})

resp = await client.get("//google.com", allow_redirects=False)

assert resp.status == 308

assert resp.headers[“Location”] == “/google.com”

assert resp.url.query == URL(“//google.com”).query

async def test_bug_3669(aiohttp_client: Any):

async def paymethod(request):

Related news

CVE-2023-47641: Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random us...

Gentoo Linux Security Advisory 202208-19

Gentoo Linux Security Advisory 202208-19 - An open redirect vulnerability has been discovered in aiohttp. Versions less than 3.7.4 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907