A flaw was found in python-aiohttp. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.
Created python-aiohttp tracking bugs for this issue:
Affects: epel-8 [bug 1933366]
Affects: fedora-all [bug 1933365]
Upstream patch: https://github.com/aio-libs/aiohttp/commit/021c416c18392a111225bc7326063dc4a99a5138
Red Hat Satellite version 6.7 onward (mostly pulp part) does ship an affected version of aiohttp, however, is not vulnerable since the product code does not use the normalize_path_middleware function, which the attacker may use for an attack. We may update the python-aiohttp dependency in a future release.
As part of analysis, I found that though Ansible use Python-Aiohttp, it doesn't use the vulnerable component i.e. aiohttp.web_middlewares.normalize_path_middleware. Hence, marking Ansible Automation Platform as "Not Affected".
This issue has been addressed in the following products:
Red Hat Satellite 6.10 for RHEL 7
Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702