1933364 – (CVE-2021-21330) CVE-2021-21330 python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware

Bug 1933364 (CVE-2021-21330) - CVE-2021-21330 python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware

Summary: CVE-2021-21330 python-aiohttp: Open redirect in aiohttp.web_middlewares.norma...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-21330
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1933365 1933366 1934072 1934290
Blocks:	1933367
TreeView+	depends on / blocked

Reported:	2021-02-26 19:54 UTC by Pedro Sampaio
Modified:	2021-12-14 18:47 UTC (History)
CC List:	33 users (show)
Fixed In Version:	python-aiohttp 3.7.4
Doc Type:	If docs needed, set a value
Doc Text:	An open redirect flaw was found in python-aiohttp. This flaw allows a remote, unauthenticated attacker to trick users into visiting a malicious webpage, disguised as a legitimate webpage and affects applications using the normalize_path_middleware functionality. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed:	2021-11-02 23:10:08 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4702	0	None	None	None	2021-11-16 14:08:02 UTC

Description Pedro Sampaio 2021-02-26 19:54:04 UTC

A flaw was found in python-aiohttp. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

References:

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Comment 1 Pedro Sampaio 2021-02-26 19:54:42 UTC

Created python-aiohttp tracking bugs for this issue:

Affects: epel-8 [bug 1933366]
Affects: fedora-all [bug 1933365]

Comment 4 Yadnyawalk Tale 2021-03-02 12:48:17 UTC

External References:

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Comment 7 Todd Cullum 2021-03-02 21:01:25 UTC

Upstream patch: https://github.com/aio-libs/aiohttp/commit/021c416c18392a111225bc7326063dc4a99a5138

Comment 8 RaTasha Tillery-Smith 2021-03-03 13:18:40 UTC

Statement:

Red Hat Satellite version 6.7 onward (mostly pulp part) does ship an affected version of aiohttp, however, is not vulnerable since the product code does not use the normalize_path_middleware function, which the attacker may use for an attack. We may update the python-aiohttp dependency in a future release.

Comment 9 Tapas Jena 2021-03-29 10:38:13 UTC

As part of analysis, I found that though Ansible use Python-Aiohttp, it doesn't use the vulnerable component i.e. aiohttp.web_middlewares.normalize_path_middleware. Hence, marking Ansible Automation Platform as "Not Affected".

Comment 13 errata-xmlrpc 2021-11-16 14:08:00 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702

Note You need to log in before you can comment on or make changes to this bug.

athmanem
bbuckingham
bcoca
bcourt
bkearney
btotty
chousekn
cmeyers
davidn
gblomqui
gsuckevi
hhudgeon
igor.raits
jcammara
jhardy
jobarker
kaycoth
lzap
mabashia
mail
mmccune
nmoumoul
osapryki
pcreech
python-sig
rchan
relrod
rhel8-maint
rjerrido
sdoran
smcdonal
sokeeffe
tkuratom