Debian 11: DLA-4041-1 moderate: multiple issues in python-aiohttp
debian lts
February 3, 2025
Several issues have been found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python
Summary
CVE-2023-47627
The HTTP parser in AIOHTTP has numerous problems with header
parsing, which could lead to request smuggling. This parser is only
used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt
wheel).
CVE-2023-47641
Affected versions of aiohttp have a security vulnerability regarding
the inconsistent interpretation of the http protocol. HTTP/1.1 is a
persistent protocol, if both Content-Length(CL) and
Transfer-Encoding(TE) header values are present it can lead to
incorrect interpretation of two entities that parse the HTTP and we
can poison other sockets with this incorrect interpretation. A
possible Proof-of-Concept (POC) would be a configuration with a
reverse proxy(frontend) that accepts both CL and TE headers and
aiohttp as backend. As aiohttp parses anything with chunked, we can
pass a chunked123 as TE, the frontend entity will ignore this header
PREVIOUS
NEXT
Package: python-aiohttp
Version: 3.7.4-1+deb11u1
CVE ID: CVE-2023-47627 CVE-2023-47641 CVE-2023-49081 CVE-2023-49082
Debian Bug:
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!