SUSE-SU-2024:4077-1 Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: - CVE-2024-52304: Fixed request smuggling due to incorrect parsing of chunk extensions bsc1233447...

Memory Leakage

aiohttp is vulnerable to Memory Leakage. The vulnerability is due to improper handling of MatchInfoError, where each error creates a unique cache entry, allowing an attacker to exhaust server memory with numerous requests...

HTTP Request Smuggling

aiohttp is vulnerable to HTTP Request Smuggling. The vulnerability is due to incorrect parsing of newlines in chunk extensions via the feeddata function by which an attacker can bypass firewall or proxy protections by sending specially crafted requests...

SUSE CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each...

SUSE CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

aioHTTP < 3.10.11 Request Smuggling

The version of aioHTTP installed on the remote host is prior to 3.10.11. It is, therefore, affected by a request smuggling vulnerability. aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions...

aiohttp < 3.10.11 HTTP Request Smuggling Vulnerability - Windows

aiohttp is prone to an HTTP request smuggling vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

aiohttp 3.10.6 < 3.10.11 Memory Leak Vulnerability - Windows

aiohttp is prone to a memory leak vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:aio-libsproject:aiohttp";...

aiohttp 3.10.6 < 3.10.11 Memory Leak Vulnerability - Linux

aiohttp is prone to a memory leak vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:aio-libsproject:aiohttp";...

aiohttp < 3.10.11 HTTP Request Smuggling Vulnerability - Linux

aiohttp is prone to an HTTP request smuggling vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

aioHTTP 3.10.6 < 3.10.11 Memory Leak

The version of aioHTTP installed on the remote host is prior to 3.10.11. It is, therefore, affected by a memory leak vulnerability. aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a...

CVE-2024-52304

A flaw was found in the aiohttp package. The Python parser parses newlines in chunk extensions incorrectly, which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed, for example, without the usual C extensions, or...

CVE-2024-52303

A flaw was found in the aiohttp package. A memory leak can occur in certain configurations when a request produces a MatchInfoError. This issue was caused by adding an entry to a cache on each request due to the building of each MatchInfoError producing a unique cache entry. An attacker may be ab...

CVE-2024-52304 vulnerabilities

Vulnerabilities for packages: airflow, kserve, dask-gateway, py3-aiohttp, py3-cassandra-medusa, checkov...

DEBIAN-CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

AZL-53229 CVE-2024-52304 affecting package python-aiohttp 3.6.2-3

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

AZL-53232 CVE-2024-52304 affecting package python-aiohttp 3.6.2-3

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

UBUNTU-CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

act-workflow (>=4.8.2 <=4.8.399), ahserver (>=1.0.1 <=1.2.0) +124 more potentially affected by CVE-2024-52304 via aiohttp (>=3.0.0b0 <=3.10.10)

aiohttp PYPI version =3.0.0b0, =4.8.2, =1.0.1, =0.48.0, =0.60.2, =0.9.0, =0.9.0, =0.1.19, =24.8.0, =0.1.6, =0.9.0, =0.9.1 - atlan-application-sdk =1.0.1 - backend-ai =1.3.0 and more Source cves: CVE-2024-52304 Source advisory: SNYK:PYTHON-AIOHTTP-8383923...