CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #1329
Labels
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-49082 - Medium Severity Vulnerability
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /benchmarks/osb/requirements.txt
Path to vulnerable library: /benchmarks/osb/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 2fb2ad116bc11bde3eab5695aed65392943c08ae
Found in base branch: main
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
Publish Date: 2023-11-29
URL: CVE-2023-49082
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-qvrw-v9rv-5rjx
Release Date: 2023-11-29
Fix Resolution: 3.9.0
The text was updated successfully, but these errors were encountered: