Closed shtalinberg closed 1 year ago
Based on the discussion on https://github.com/aio-libs/aiohttp/issues/6772 and https://github.com/aio-libs/aiohttp/issues/6801#issuecomment-1167371253, it isn't clear to me that this is a valid report.
Even if it is a valid report, it is unlikely that the use by geoip2
would trigger it as the host is geoip.maxmind.com
unless you specifically override it with the host
param to the web service client. It sounds like the possible issue is only when a URL with an invalid IPv6 address has been provided as the host in the URL.
Thanks for the reply
Dependency-Check Results in of our projects where used geoip2
AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). more details here https://nvd.nist.gov/vuln/detail/CVE-2022-33124