Path to dependency file: /jupyter-scipy/requirements.txt
Path to vulnerable library: /jupyter-scipy/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter-pytorch-full/requirements.txt,/jupyter-scipy/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter-pytorch-full/requirements.txt
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
CVE-2023-49082 - Medium Severity Vulnerability
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/be/2e/78d9514437e4267988380482420f4a550be6abdc665c836efe6d6abf7b46/aiohttp-3.8.4-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /jupyter-scipy/requirements.txt
Path to vulnerable library: /jupyter-scipy/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter-pytorch-full/requirements.txt,/jupyter-scipy/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter-pytorch-full/requirements.txt
Dependency Hierarchy: - :x: **aiohttp-3.8.4-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in base branch: master
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
Publish Date: 2023-11-29
URL: CVE-2023-49082
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-qvrw-v9rv-5rjx
Release Date: 2023-11-29
Fix Resolution: 3.9.0
Step up your Open Source Security Game with Mend here