-------------------------------------------------------------------------
Debian LTS Advisory DLA-4041-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Jochen Sprickerhof
February 03, 2025                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : python-aiohttp
Version        : 3.7.4-1+deb11u1
CVE ID         : CVE-2023-47627 CVE-2023-47641 CVE-2023-49081 CVE-2023-49082 
                 CVE-2024-23334 CVE-2024-23829 CVE-2024-27306 CVE-2024-30251 
                 CVE-2024-52304
Debian Bug     : 

Several issues have been found in aiohttp, an asynchronous HTTP 
client/server framework for asyncio and Python. Those issues are related 
to the HTTP parser, link traversal and XSS on the index pages.

CVE-2023-47627

     The HTTP parser in AIOHTTP has numerous problems with header 
     parsing, which could lead to request smuggling. This parser is only 
     used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt 
     wheel).

CVE-2023-47641

    Affected versions of aiohttp have a security vulnerability regarding 
    the inconsistent interpretation of the http protocol. HTTP/1.1 is a 
    persistent protocol, if both Content-Length(CL) and 
    Transfer-Encoding(TE) header values are present it can lead to 
    incorrect interpretation of two entities that parse the HTTP and we 
    can poison other sockets with this incorrect interpretation. A 
    possible Proof-of-Concept (POC) would be a configuration with a 
    reverse proxy(frontend) that accepts both CL and TE headers and 
    aiohttp as backend. As aiohttp parses anything with chunked, we can 
    pass a chunked123 as TE, the frontend entity will ignore this header 
    and will parse Content-Length. The impact of this vulnerability is 
    that it is possible to bypass any proxy rule, poisoning sockets to 
    other users like passing Authentication Headers, also if it is 
    present an Open Redirect an attacker could combine it to redirect 
    random users to another website and log the request.

CVE-2023-49081

    Improper validation made it possible for an attacker to modify the 
    HTTP request (e.g. to insert a new header) or create a new HTTP 
    request if the attacker controls the HTTP version. The vulnerability 
    only occurs if the attacker can control the HTTP version of the 
    request.

CVE-2023-49082

    Improper validation makes it possible for an attacker to modify the 
    HTTP request (e.g. insert a new header) or even create a new HTTP 
    request if the attacker controls the HTTP method. The vulnerability 
    occurs only if the attacker can control the HTTP method (GET, POST 
    etc.) of the request. If the attacker can control the HTTP version 
    of the request it will be able to modify the request (request 
    smuggling).

CVE-2024-23334

    When using aiohttp as a web server and configuring static routes, it 
    is necessary to specify the root path for static files. 
    Additionally, the option 'follow_symlinks' can be used to determine 
    whether to follow symbolic links outside the static root directory. 
    When 'follow_symlinks' is set to True, there is no validation to 
    check if reading a file is within the root directory. This can lead 
    to directory traversal vulnerabilities, resulting in unauthorized 
    access to arbitrary files on the system, even when symlinks are not 
    present. Disabling follow_symlinks and using a reverse proxy are 
    encouraged mitigations.

CVE-2024-23829

    Security-sensitive parts of the Python HTTP parser retained minor 
    differences in allowable character sets, that must trigger error 
    handling to robustly match frame boundaries of proxies in order to 
    protect against injection of additional requests. Additionally, 
    validation could trigger exceptions that were not handled 
    consistently with processing of other malformed input. Being more 
    lenient than internet standards require could, depending on 
    deployment environment, assist in request smuggling. The unhandled 
    exception could cause excessive resource consumption on the 
    application server and/or its logging facilities. 

CVE-2024-27306

    A XSS vulnerability exists on index pages for static file handling.

CVE-2024-30251

     In affected versions an attacker can send a specially crafted POST 
     (multipart/form-data) request. When the aiohttp server processes 
     it, the server will enter an infinite loop and be unable to process 
     any further requests. An attacker can stop the application from 
     serving requests after sending a single request.

CVE-2024-52304

    The Python parser parses newlines in chunk extensions incorrectly 
    which can lead to request smuggling vulnerabilities under certain 
    conditions. If a pure Python version of aiohttp is installed (i.e. 
    without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is 
    enabled, then an attacker may be able to execute a request smuggling 
    attack to bypass certain firewalls or proxy protections.

For Debian 11 bullseye, these problems have been fixed in version
3.7.4-1+deb11u1.

We recommend that you upgrade your python-aiohttp packages.

For the detailed security status of python-aiohttp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-aiohttp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-4041-1: python-aiohttp Security Advisory Updates

February 3, 2025
Several issues have been found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python

Summary

CVE-2023-47627

The HTTP parser in AIOHTTP has numerous problems with header
parsing, which could lead to request smuggling. This parser is only
used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt
wheel).

CVE-2023-47641

Affected versions of aiohttp have a security vulnerability regarding
the inconsistent interpretation of the http protocol. HTTP/1.1 is a
persistent protocol, if both Content-Length(CL) and
Transfer-Encoding(TE) header values are present it can lead to
incorrect interpretation of two entities that parse the HTTP and we
can poison other sockets with this incorrect interpretation. A
possible Proof-of-Concept (POC) would be a configuration with a
reverse proxy(frontend) that accepts both CL and TE headers and
aiohttp as backend. As aiohttp parses anything with chunked, we can
pass a chunked123 as TE, the frontend entity will ignore this header
and will parse Content-Length. The impact of this vul...

Read the Full Advisory


Severity
Package : python-aiohttp
Version : 3.7.4-1+deb11u1
CVE ID : CVE-2023-47627 CVE-2023-47641 CVE-2023-49081 CVE-2023-49082
Debian Bug :

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved