search

opensearch-project / opensearch-py

Python Client for OpenSearch
https://opensearch.org/docs/latest/clients/python/
Apache License 2.0
338 stars 170 forks source link

CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #621

Closed mend-for-github-com[bot] closed 5 months ago

mend-for-github-com[bot] commented 10 months ago

CVE-2023-49082 - Medium Severity Vulnerability

Vulnerable Libraries - aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/90/89/b332d6d2b27d84a876baba1405c6c51b85d30dd474878ef35646f0021a1c/aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl** (Vulnerable Library)

aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /dev-requirements.txt

Path to vulnerable library: /dev-requirements.txt

Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 7ad68d5c4c4825f902056eedb38cd852ffb71d1a

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Publish Date: 2023-11-29

URL: CVE-2023-49082

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-qvrw-v9rv-5rjx

Release Date: 2023-11-29

Fix Resolution: 3.9.0

saimedhi commented 6 months ago

To upgrade aiohttp to 3.9.0 requires Python >=3.8. But opensearch-py currently supports Python 3.6 and 3.7 versions as well.