CVE-2023-49082 : aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Published 2023-11-29 20:15:08

Updated 2024-01-29 14:15:09

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2023-49082

Aiohttp » Aiohttp
Versions before (<) 3.9.0
cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-49082

EPSS FAQ

0.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-49082

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2023-49082

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security-advisories@github.com (Primary)
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-49082

https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466

Add HTTP method validation (#6533) (#7806) · aio-libs/aiohttp@e4ae01c · GitHub
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

aiohttp CRLF poc · GitHub
Exploit;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A/

[SECURITY] Fedora 39 Update: python-pysqueezebox-0.5.5-11.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA/

[SECURITY] Fedora 38 Update: python-wled-0.4.4-11.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://github.com/aio-libs/aiohttp/pull/7806/files

Add HTTP method validation (#6533) by Dreamsorcerer · Pull Request #7806 · aio-libs/aiohttp · GitHub
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx

ClientSession is vulnerable to CRLF injection via method · Advisory · aio-libs/aiohttp · GitHub
Exploit;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-49082

Products affected by CVE-2023-49082

Exploit prediction scoring system (EPSS) score for CVE-2023-49082

CVSS scores for CVE-2023-49082

CWE ids for CVE-2023-49082

References for CVE-2023-49082