Vulnerability Details : CVE-2021-21330

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.

Vulnerability category: Open redirect

Published 2021-02-26 03:15:13

Updated 2023-02-03 21:03:35

Source GitHub, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-21330

Probability of exploitation activity in the next 30 days: 0.35%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 69 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-21330

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
3.1	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N	1.6	1.4	[email protected]
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2021-21330

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Assigned by:
- [email protected] (Secondary)
- [email protected] (Primary)

References for CVE-2021-21330

https://lists.fedoraproject.org/archives/list/[email protected]/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/

Mailing List;Third Party Advisory
https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25

Third Party Advisory
https://pypi.org/project/aiohttp/

Product;Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/

Mailing List;Third Party Advisory
https://www.debian.org/security/2021/dsa-4864

Third Party Advisory
https://security.gentoo.org/glsa/202208-19

Third Party Advisory
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Third Party Advisory
https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b

Patch;Third Party Advisory

Products affected by CVE-2021-21330

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Aiohttp Project » Aiohttp
Versions before (<) 3.7.4
cpe:2.3:a:aiohttp_project:aiohttp:*:*:*:*:*:*:*:*
Matching versions