aiohttp's ClientSession is vulnerable to CRLF injection via version
CVE-2023-49081

7.2HIGH

Key Information:

Vendor

Aio-libs

Status
Aiohttp
Vendor
CVE Published:
30 November 2023

What is CVE-2023-49081?

The aiohttp framework, an asynchronous HTTP client/server for Python, suffers from an improper validation vulnerability. An attacker with control over the HTTP version of a request could exploit this flaw to modify the request by inserting arbitrary headers or creating new requests. This vulnerability has been addressed in version 3.9.0, which effectively mitigates the risk of such manipulations.

Affected Version(s)

aiohttp < 3.9.0

References

https://github.com/aio-libs/aiohttp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/pull/7835/files
x_refsource_MISC
https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4...
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.