1 aiohttp vulnerability found in requirements.txt 18 hours ago
Remediation
Upgrade aiohttp to version 3.7.4 or later. For example:
aiohttp>=3.7.4
Always verify the validity and compatibility of suggestions with your codebase.
Details
GHSA-v6wp-4m6f-gcjg
low severity
Vulnerable versions: < 3.7.4
Patched version: 3.7.4
Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.
Patches
Has the problem been patched? What versions should users upgrade to?
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
pip install aiohttp >= 3.7.4
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.
References
Are there any links users can visit to find out more?
aiohttp @ PyPI
GHSA-v6wp-4m6f-gcjg
OWASP page on open redirects
For more information
If you have any questions or comments about this advisory:
Open an issue in the aiohttp repo
Email us at wk+aio-libs-security@sydorenko.org.ua and/or andrew.svetlov+aio-libs-security@gmail.com
Credit: Jelmer Vernooij and Beast Glatisant.
1 aiohttp vulnerability found in requirements.txt 18 hours ago Remediation Upgrade aiohttp to version 3.7.4 or later. For example:
aiohttp>=3.7.4 Always verify the validity and compatibility of suggestions with your codebase.
Details GHSA-v6wp-4m6f-gcjg low severity Vulnerable versions: < 3.7.4 Patched version: 3.7.4 Impact What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.
Patches Has the problem been patched? What versions should users upgrade to?
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows: pip install aiohttp >= 3.7.4
Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.
References Are there any links users can visit to find out more?
aiohttp @ PyPI GHSA-v6wp-4m6f-gcjg OWASP page on open redirects For more information If you have any questions or comments about this advisory:
Open an issue in the aiohttp repo Email us at wk+aio-libs-security@sydorenko.org.ua and/or andrew.svetlov+aio-libs-security@gmail.com Credit: Jelmer Vernooij and Beast Glatisant.