FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2023-49082

Improper Input Validation (CWE-20)

Published: Nov 26, 2023

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Nov 26, 2023 at 5:33 PM
First Article

Feedly found the first article mentioning CVE-2023-49082. See article

Nov 27, 2023 at 11:24 PM / GitHub Advisory Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 27, 2023 at 11:24 PM
CVE Assignment

NVD published the first details for CVE-2023-49082

Nov 29, 2023 at 12:15 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2023-49082).

Nov 30, 2023 at 11:00 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 6.9%)

Dec 1, 2023 at 2:35 PM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Dec 4, 2023 at 11:10 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (284846)

Jan 8, 2024 at 12:00 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (187672)

Jan 8, 2024 at 12:15 AM
Static CVE Timeline Graph

Affected Systems

Aiohttp/aiohttp
+null more

Exploits

https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

CVE-2023-49082
Red Hat CVE Database / 11mo
Red Hat Ansible Automation Platform 1.2 - python-aiohttp - Under investigation Red Hat Ansible Automation Platform 2 - python-aiohttp - Under investigation

News

Multiple vulnerabilities in IBM Maximo Application Suite - IoT Component
Security feed from CyberSecurity Help / 2mo
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks. The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
Security: Mehrere Probleme in aiohttp (Gentoo)
Pro-Linux / 3mo
https://security.gentoo.org/ Multiple vulnerabilities have been discovered in aiohttp.
Nokogiri, Redis, Bitcoin updates, and more for Gentoo
Linux Compatible / 3mo
The following security updates are available for Gentoo Linux: A denial of service vulnerability has been discovered in Nokogiri.
Gentoo: GLSA-202408-11: aiohttp: Security Advisory Updates
LinuxSecurity.com - Hybrid RSS / 3mo
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox Multiple vulnerabilities have been discovered in aiohttp.
Gentoo Linux Security Advisory 202408-11
Advisory Files ≈ Packet Storm / 3mo
Gentoo Linux Security Advisory 202408-11 - Multiple vulnerabilities have been discovered in aiohttp, the worst of which could lead to service compromise. Versions greater than or equal to 3.9.4 are affected.
See 56 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 5.3(34617)CWE-20(11385)CWE-93(62)Aiohttp(14)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial