Request smuggling in aiohttp
CVE-2023-47627

5.3MEDIUM

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 14 November 2023

What is CVE-2023-47627?

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit d5c12ba89 which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

Affected Version(s)

aiohttp < 3.8.6

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a...

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Nov 7, 2023

Aio-libs

What is CVE-2023-47627?

Affected Version(s)

References

CVSS V3.1

Timeline