search

opensearch-project / opensearch-py

Python Client for OpenSearch
https://opensearch.org/docs/latest/clients/python/
Apache License 2.0
359 stars 178 forks source link

CVE-2024-23829 (Medium) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #688

Closed mend-for-github-com[bot] closed 7 months ago

mend-for-github-com[bot] commented 8 months ago

CVE-2024-23829 - Medium Severity Vulnerability

Vulnerable Libraries - aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/90/89/b332d6d2b27d84a876baba1405c6c51b85d30dd474878ef35646f0021a1c/aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl** (Vulnerable Library)

aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /dev-requirements.txt

Path to vulnerable library: /dev-requirements.txt

Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 7ad68d5c4c4825f902056eedb38cd852ffb71d1a

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

Publish Date: 2024-01-29

URL: CVE-2024-23829

CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2

Release Date: 2024-01-29

Fix Resolution: 3.9.2

saimedhi commented 8 months ago

To upgrade aiohttp to 3.9.2 requires Python >=3.8. But opensearch-py currently supports Python 3.6 and 3.7 versions as well.

Relavant PR https://github.com/opensearch-project/opensearch-py/pull/634