Bug 2252235 (CVE-2023-49081)

Summary: CVE-2023-49081 aiohttp: HTTP request modification
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bbuckingham, bcourt, caswilli, davidn, dfreiber, dhalasz, drow, ehelms, epacific, gtanzill, hkataria, jburrell, jcammara, jhardy, jmitchel, jneedle, jobarker, jsherril, jtanner, kaycoth, kshier, lzap, mabashia, mhulan, mminar, nmoumoul, orabin, osapryki, pcreech, psegedy, rbiba, rbobbitt, rchan, simaishi, smcdonal, sskracic, stcannon, sthirugn, teagle, tfister, tsasak, vkrizan, vkumar, vmugicag, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: aiohttp 3.9.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the python-aiohttp package. This issue could allow a remote attacker to modify an existing HTTP request or create a new request that could have minor confidentiality or integrity impacts.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2252236, 2252239, 2252240, 2252241, 2252242, 2252243, 2260511    
Bug Blocks: 2252237    

Description Nick Tait 2023-11-30 10:04:25 UTC
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

Comment 1 Nick Tait 2023-11-30 10:05:04 UTC
Created python-aiohttp tracking bugs for this issue:

Affects: fedora-all [bug 2252236]

Comment 2 Nick Tait 2023-11-30 10:13:44 UTC
Created python-aiohttp tracking bugs for this issue:

Affects: epel-all [bug 2252239]

Comment 4 Fedora Update System 2023-12-03 15:48:47 UTC
FEDORA-2023-d5bd6b62e4 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 errata-xmlrpc 2024-02-29 19:41:45 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057

Comment 9 errata-xmlrpc 2024-03-27 13:19:01 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2024:1536 https://access.redhat.com/errata/RHSA-2024:1536

Comment 10 errata-xmlrpc 2024-04-18 01:51:55 UTC
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878

Comment 11 errata-xmlrpc 2024-04-23 17:15:57 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010