GHSA-8495-4G3G-X7PR vulnerabilities

Vulnerabilities for packages: py3-cassandra-medusa, airflow, checkov, dask-gateway, py3-aiohttp, kserve...

GHSA-8495-4G3G-X7PR vulnerabilities

Vulnerabilities for packages: request-1276, dask-gateway, awx, kserve, py3-aiohttp, py3-cassandra-medusa, airflow, py3.10-vllm-cuda-11.8, checkov...

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. Impact If a pure Python version of aiohttp is installed i.e. without the usual C extensions or AIOHTTPNOEXTENSIONS is enabled, then an attacker m...

GHSA-27MF-GHQM-J3J8 aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

Summary A memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. Impact If the user is making use of any middlewares with aiohttp.web then it is...

Missing Release of Resource after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime by creating a unique cache entry for each MatchInfoError when a request method is not allowed. This can lead to unbounded cache growth, resulting in a memory leak. Remediation Upgrade...

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

Summary A memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. Impact If the user is making use of any middlewares with aiohttp.web then it is...

GHSA-27MF-GHQM-J3J8 vulnerabilities

Vulnerabilities for packages: py3-aiohttp, airflow, py3.10-vllm-cuda-11.8, checkov...

GHSA-27MF-GHQM-J3J8 vulnerabilities

Vulnerabilities for packages: airflow, py3-aiohttp, checkov...

CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each...

CVE-2024-52303 vulnerabilities

Vulnerabilities for packages: airflow, py3-aiohttp, checkov...

DEBIAN-CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each...

UBUNTU-CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each...

CVE-2024-52304 aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

CVE-2024-52304 aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

CVE-2024-52304 aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

CVE-2024-52304

CVE-2024-52304 – aiohttp request-smuggling vulnerability : Prior to 3.10.11, aiohttp’s Python parser mishandled newlines in chunk extensions, enabling a request-smuggling condition under certain scenarios. If a pure-Python build (no C extensions) or AIOHTTP_NO_EXTENSIONS is used, an attacker coul...

CVE-2024-52303 aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each...

CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each...

CVE-2024-52303

CVE-2024-52303 affects aiohttp (async HTTP framework for Python/asyncio): memory leak when a request produces a MatchInfoError, caused by a per-request cache entry created during MatchInfoError construction. This can enable memory exhaustion on the server under high request rates (hundreds of tho...