Bug 1933364 (CVE-2021-21330)

Summary: CVE-2021-21330 python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, bbuckingham, bcoca, bcourt, bkearney, btotty, chousekn, cmeyers, davidn, gblomqui, gsuckevi, hhudgeon, igor.raits, jcammara, jhardy, jobarker, kaycoth, lzap, mabashia, mail, mmccune, nmoumoul, osapryki, pcreech, python-sig, rchan, relrod, rhel8-maint, rjerrido, sdoran, smcdonal, sokeeffe, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-aiohttp 3.7.4 Doc Type: If docs needed, set a value
Doc Text:
An open redirect flaw was found in python-aiohttp. This flaw allows a remote, unauthenticated attacker to trick users into visiting a malicious webpage, disguised as a legitimate webpage and affects applications using the normalize_path_middleware functionality. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:10:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1933365, 1933366, 1934072, 1934290    
Bug Blocks: 1933367    

Description Pedro Sampaio 2021-02-26 19:54:04 UTC 
A flaw was found in python-aiohttp. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

References:

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
Comment 1 Pedro Sampaio 2021-02-26 19:54:42 UTC 
Created python-aiohttp tracking bugs for this issue:

Affects: epel-8 [bug 1933366]
Affects: fedora-all [bug 1933365]
Comment 4 Yadnyawalk Tale 2021-03-02 12:48:17 UTC 
External References:

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
Comment 7 Todd Cullum 2021-03-02 21:01:25 UTC 
Upstream patch: https://github.com/aio-libs/aiohttp/commit/021c416c18392a111225bc7326063dc4a99a5138
Comment 8 RaTasha Tillery-Smith 2021-03-03 13:18:40 UTC 
Statement:

Red Hat Satellite version 6.7 onward (mostly pulp part) does ship an affected version of aiohttp, however, is not vulnerable since the product code does not use the normalize_path_middleware function, which the attacker may use for an attack. We may update the python-aiohttp dependency in a future release.
Comment 9 Tapas Jena 2021-03-29 10:38:13 UTC 
As part of analysis, I found that though Ansible use Python-Aiohttp, it doesn't use the vulnerable component i.e. aiohttp.web_middlewares.normalize_path_middleware. Hence, marking Ansible Automation Platform as "Not Affected".
Comment 13 errata-xmlrpc 2021-11-16 14:08:00 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702