aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions

A flaw was found in the aiohttp package. The Python parser parses newlines in chunk extensions incorrectly, which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed, for example, without the usual C extensions, or...

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: CVE-2024-52304: Fixed request smuggling due to incorrect parsing of chunk extensions bsc1233447 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2024:4110-1 Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: - CVE-2024-52304: Fixed request smuggling due to incorrect parsing of chunk extensions bsc1233447...

[SECURITY] Fedora 41 Update: python-aiohttp-3.10.5-3.fc41

Python HTTP client/server for asyncio which supports both the client and the server side of the HTTP protocol, client and server websocket, and webservers with middlewares and pluggable routing...

Fedora: Security Advisory (FEDORA-2024-04ceb82dc7)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 41 : python-aiohttp (2024-49df7093ac)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-49df7093ac advisory. Security fix for CVE-2024-52304 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Fedora 40 : python-aiohttp (2024-04ceb82dc7)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-04ceb82dc7 advisory. Security fix for CVE-2024-52304 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: CVE-2024-52304: Fixed request smuggling due to incorrect parsing of chunk extensions bsc1233447 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2024:4077-1 Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: - CVE-2024-52304: Fixed request smuggling due to incorrect parsing of chunk extensions bsc1233447...

The vulnerability of the aiohttp HTTP client lies in the fact that resources are not released after their useful period has ended, allowing attackers to trigger service failures.

The vulnerability of the aiohttp HTTP client is related to the failure to release resources after their useful period has expired. Exploiting this vulnerability allows a remote attacker to cause service failures...

The vulnerability of the aiohttp HTTP client, related to deficiencies in handling HTTP request headers, allows attackers to execute the “HTTP request hijacking” attack.

The vulnerability of the aiohttp HTTP client is related to deficiencies in the handling of HTTP request headers. Exploiting this vulnerability allows a remote attacker to execute an “HTTP request hijacking” attack...

Memory Leakage

aiohttp is vulnerable to Memory Leakage. The vulnerability is due to improper handling of MatchInfoError, where each error creates a unique cache entry, allowing an attacker to exhaust server memory with numerous requests...

HTTP Request Smuggling

aiohttp is vulnerable to HTTP Request Smuggling. The vulnerability is due to incorrect parsing of newlines in chunk extensions via the feeddata function by which an attacker can bypass firewall or proxy protections by sending specially crafted requests...

SUSE CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each...

SUSE CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installe...

aiohttp < 3.10.11 HTTP Request Smuggling Vulnerability - Windows

aiohttp is prone to an HTTP request smuggling vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

aioHTTP < 3.10.11 Request Smuggling

The version of aioHTTP installed on the remote host is prior to 3.10.11. It is, therefore, affected by a request smuggling vulnerability. aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions...

aiohttp 3.10.6 < 3.10.11 Memory Leak Vulnerability - Linux

aiohttp is prone to a memory leak vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:aio-libsproject:aiohttp";...

aiohttp < 3.10.11 HTTP Request Smuggling Vulnerability - Linux

aiohttp is prone to an HTTP request smuggling vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

aiohttp 3.10.6 < 3.10.11 Memory Leak Vulnerability - Windows

aiohttp is prone to a memory leak vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:aio-libsproject:aiohttp";...