CVE-2023-47627 (High) detected in aiohttp-2.2.2.tar.gz

[mend-bolt-for-github[bot]]

CVE-2023-47627 - High Severity Vulnerability

Vulnerable Library - aiohttp-2.2.2.tar.gz

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/f1/cc/828ce95d4d638f54936bbd1f896a75ba937839b17a63a57c1c491db6c26d/aiohttp-2.2.2.tar.gz

Path to dependency file: /test/acceptance/workspaces/setup_py-app

Path to vulnerable library: /test/acceptance/workspaces/setup_py-app

Dependency Hierarchy: - :x: **aiohttp-2.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 9505f4ca92405cc9273dc3726c2d274ce28a4407

Found in base branch: ALL_HANDS/major-secrets

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

Publish Date: 2023-11-14

URL: CVE-2023-47627

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Release Date: 2023-11-14

Fix Resolution: 3.8.6

---

Step up your Open Source Security Game with Mend here