Open redirect vulnerability in aiohttp
CVE-2021-21330

3.1LOW

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 26 February 2021

What is CVE-2021-21330?

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

Affected Version(s)

aiohttp < 3.7.4

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/2545222a3853e3...

x_refsource_MISC

https://github.com/aio-libs/aiohttp/blob/master/CHANGES.r...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2021
Vulnerability Reserved
Dec 22, 2020

Aio-libs

What is CVE-2021-21330?

Affected Version(s)

References

CVSS V3.1

Timeline