Bug 2224185 (CVE-2023-37276)

Summary: CVE-2023-37276 python-aiohttp: HTTP request smuggling via llhttp HTTP request parser
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bbuckingham, bcourt, davidn, dhughes, eglynn, ehelms, epacific, gtanzill, jcammara, jhardy, jjoyce, jkoehler, jneedle, jobarker, jsherril, kshier, lhh, lzap, mabashia, mburns, mgarciac, mhulan, mminar, myarboro, nmoumoul, orabin, osapryki, pcreech, pgrist, rbiba, rchan, simaishi, smcdonal, sskracic, stcannon, teagle, tfister, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: aiohttp 3.8.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in aio-libs aiohttp, where it is vulnerable to HTTP request smuggling, caused by a flaw in the aiohttp.web.Application. By sending a specially crafted HTTP(S) request, an attacker can poison the web cache, bypass web application firewall protection, and conduct Cross-site scripting (XSS) attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2224228, 2224226, 2224227, 2260418    
Bug Blocks: 2224192    

Description Marian Rehak 2023-07-20 07:04:05 UTC 
This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

Reference:

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
Comment 2 errata-xmlrpc 2024-04-18 01:51:41 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
Comment 3 errata-xmlrpc 2024-04-23 17:11:49 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010