Bug 2224185 (CVE-2023-37276) - CVE-2023-37276 python-aiohttp: HTTP request smuggling via llhttp HTTP request parser
Summary: CVE-2023-37276 python-aiohttp: HTTP request smuggling via llhttp HTTP request...
Keywords:
Status: NEW
Alias: CVE-2023-37276
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2224226 2224228 2224227
Blocks: 2224192
TreeView+ depends on / blocked
 
Reported: 2023-07-20 07:04 UTC by Marian Rehak
Modified: 2023-08-02 09:37 UTC (History)
40 users (show)

Fixed In Version: aiohttp 3.8.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in aio-libs aiohttp, where it is vulnerable to HTTP request smuggling, caused by a flaw in the aiohttp.web.Application. By sending a specially crafted HTTP(S) request, an attacker can poison the web cache, bypass web application firewall protection, and conduct Cross-site scripting (XSS) attacks.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2023-07-20 07:04:05 UTC 
This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

Reference:

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
Note You need to log in before you can comment on or make changes to this bug.