6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7.2 High
AI Score
Confidence
Low
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.001 Low
EPSS
Percentile
30.9%
Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression HTTP/(\d).(\d)
lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)
).
The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token
.
GET / HTTP/1ΓΆ1
GET / HTTP/1.π
GET/: HTTP/1.1
Content-Encoding?: chunked
Primarily concerns running an aiohttp server without llhttp:
github.com/advisories/GHSA-8qpw-xqxj-h4r2
github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
github.com/aio-libs/aiohttp/pull/3235
github.com/aio-libs/aiohttp/pull/8074
github.com/aio-libs/aiohttp/pull/8074/files
github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml
lists.fedoraproject.org/archives/list/[email protected]/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
lists.fedoraproject.org/archives/list/[email protected]/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
nvd.nist.gov/vuln/detail/CVE-2024-23829
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7.2 High
AI Score
Confidence
Low
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.001 Low
EPSS
Percentile
30.9%