CVE-2023-49081: aiohttp's ClientSession is vulnerable to CRLF injection via version
First published: Mon Nov 27 2023(Updated: )
### Summary Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version. ### Details The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type). For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the `version` parameter. Furthermore, the vulnerability only occurs when the `Connection` header is passed to the `headers` parameter. At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection. ### PoC The POC below shows an example of providing an unvalidated array as a version: https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e ### Impact CRLF injection leading to Request Smuggling. ### Workaround If these specific conditions are met and you are unable to upgrade, then validate the user input to the `version` parameter to ensure it is a `str`. Patch: https://github.com/aio-libs/aiohttp/pull/7835/files
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Aiohttp Aiohttp | <3.9.0 | |
| pip/aiohttp | <3.9.0 | 3.9.0 |
| redhat/aiohttp | <3.9.0 | 3.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
- https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
- https://github.com/aio-libs/aiohttp/pull/7835/files
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2252236
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2252239
- https://access.redhat.com/errata/RHSA-2024:1057
- https://access.redhat.com/errata/RHSA-2024:1536
- https://access.redhat.com/errata/RHSA-2024:1878
- https://access.redhat.com/errata/RHSA-2024:2010
- https://bugzilla.redhat.com/show_bug.cgi?id=2252235
- https://nvd.nist.gov/vuln/detail/CVE-2023-49081
- https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A
- https://github.com/advisories/GHSA-q3qx-c6g2-7pw2 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this security issue?
The vulnerability ID is CVE-2023-49081.
What is the summary of this vulnerability?
The vulnerability allows an attacker to modify the HTTP request, including inserting a new header or creating a new request if they control the HTTP version.
How does this vulnerability occur?
The vulnerability occurs due to improper validation of the HTTP request, specifically in the aiohttp package version up to 3.9.0.
How can I fix this vulnerability?
You can fix this vulnerability by upgrading the aiohttp package to version 3.9.0 or later.
Is there any additional information about this vulnerability?
Yes, you can find more information about this vulnerability in the advisory links provided.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- agent/title
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/event
- collector/nvd-cve
- agent/severity
- agent/softwarecombine
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-49081
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q3qx-c6g2-7pw2
- agent/last-modified-date
- collector/github-advisory
- agent/references
- agent/tags
- agent/trending
- vendor/aiohttp
- canonical/aiohttp aiohttp
- package-manager/redhat
- package-manager/pip