Lucene search

[email protected]CVE-2023-49081

HistoryNov 30, 2023 - 7:15 a.m.

CVE-2023-49081

2023-11-3007:15:08

CWE-20

[email protected]

web.nvd.nist.gov

aiohttp

async

http client

http server

asyncio

python

validation

vulnerability

http request

modification

patch

version 3.9.0

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.0%

JSON

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

Affected configurations

Vulners

NVD

Node

aio-libsaiohttpRange<3.9.0

CPENameOperatorVersion
aiohttp:aiohttpaiohttplt3.9.0

CPE	Name	Operator	Version
aiohttp:aiohttp	aiohttp	lt	3.9.0

CNA Affected

[
  {
    "vendor": "aio-libs",
    "product": "aiohttp",
    "versions": [
      {
        "version": "< 3.9.0",
        "status": "affected"
      }
    ]
  }
]