Request Smuggling

🗓️ 29 Nov 2023 06:58:43Reported by Veracode Vulnerability DatabaseType

aiohttp vulnerability in `client_reqrep.py` allows HTTP request smuggling via improper method validation

Reporter	Title	Published	Views	Family All 93
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps	16 Oct 202422:43	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion is vulnerable to HTTP request smuggling, denial of server due to aiohttp, cryptography.	11 May 202416:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - IoT Component uses aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl which is vulnerable to CVE-2024-23829, CVE-2023-49082, CVE-2024-23334 and CVE-2023-49081	15 Apr 202502:22	–	ibm
Chainguard	CVE-2023-49082 vulnerabilities	29 Nov 202320:15	–	cgr
Circl	CVE-2023-49082	26 Nov 202317:33	–	circl
CNNVD	aiohttp Injection Vulnerability	29 Nov 202300:00	–	cnnvd
CVE	CVE-2023-49082	29 Nov 202320:07	–	cve
Cvelist	CVE-2023-49082 aiohttp's ClientSession is vulnerable to CRLF injection via method	29 Nov 202320:07	–	cvelist
Debian	[SECURITY] [DLA 4041-1] python-aiohttp security update	3 Feb 202514:01	–	debian
Debian	[SECURITY] [DSA 5828-1] python-aiohttp security update	11 Dec 202419:24	–	debian

Vulners

Node

aiohttp aiohttpRange0.16.0–3.9.0b1python

aiohttp aiohttpRange4.0.0a0–4.0.0a1python

Source	Link
github	www.github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
gist	www.gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
github	www.github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
github	www.github.com/aio-libs/aiohttp/pull/7806/files
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA/
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A/

29 Jan 2024 16:21Current

7High risk

Vulners AI Score7

CVSS 3.15.3

EPSS0.00228