medium
5.3
CWE
20 93
Advisory Published
CVE Published
Updated

CVE-2023-49082: aiohttp's ClientSession is vulnerable to CRLF injection via method

First published: Mon Nov 27 2023(Updated: )

### Summary Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. ### Details The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling. ### PoC A minimal example can be found here: https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b ### Impact If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). ### Workaround If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.). Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Aiohttp Aiohttp<3.9.0
pip/aiohttp<3.9.0
3.9.0
redhat/aiohttp<3.9.0
3.9.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-49082?

    CVE-2023-49082 is a vulnerability that allows an attacker to modify or create an HTTP request by controlling the HTTP method.

  • What software is affected by CVE-2023-49082?

    The aiohttp package with versions up to but excluding 3.9.0 is affected by CVE-2023-49082.

  • How can the attacker exploit CVE-2023-49082?

    The attacker can exploit CVE-2023-49082 by controlling the HTTP method in the HTTP request.

  • How can I mitigate CVE-2023-49082?

    To mitigate CVE-2023-49082, update the aiohttp package to version 3.9.0 or above.

  • Where can I find more information about CVE-2023-49082?

    You can find more information about CVE-2023-49082 in the following references: [GitHub Advisory](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx), [Gist](https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b), [GitHub Advisories](https://github.com/advisories/GHSA-qvrw-v9rv-5rjx).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203