aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.

The remote Ubuntu 18.04 ESM / 20.04 ESM host has a package installed that is affected by a vulnerability as referenced in the USN-5386-1 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version     3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server     could redirect the browser to a different website. It is caused by a bug in the     `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in     3.7.4. Upgrade your dependency using pip as follows pip install aiohttp >= 3.7.4. If upgrading is not an     option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in     your applications. (CVE-2021-21330)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-19 (aiohttp: Open redirect vulnerability)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version     3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server     could redirect the browser to a different website. It is caused by a bug in the     `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in     3.7.4. Upgrade your dependency using pip as follows pip install aiohttp >= 3.7.4. If upgrading is not an     option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in     your applications. (CVE-2021-21330)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the AIOHTTP server hosted on the remote host is prior to version 3.7.4. It is, therefore, affected by a open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the clients browser to a different website.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4702 advisory.

  - python-ecdsa: Unexpected and  undocumented exceptions during signature decoding (CVE-2019-14853)

  - python-ecdsa: DER encoding is not being verified in signatures (CVE-2019-14859)

  - rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id     (CVE-2019-25025)

  - rake: OS Command Injection via egrep in Rake::FileList (CVE-2020-8130)

  - guava: local information disclosure via temporary directory created with unsafe permissions     (CVE-2020-8908)

  - PyYAML: incomplete fix for CVE-2020-1747 (CVE-2020-14343)

  - rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema (CVE-2020-26247)

  - Satellite: Azure compute resource secret_key leak to authenticated users (CVE-2021-3413)

  - foreman: possible man-in-the-middle in smart_proxy realm_freeipa (CVE-2021-3494)

  - Satellite: BMC controller credential leak via API (CVE-2021-20256)

  - python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware (CVE-2021-21330)

  - rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack     (CVE-2021-22885)

  - rails: Possible Denial of Service vulnerability in Action Dispatch (CVE-2021-22902)

  - rails: Possible DoS Vulnerability in Action Controller Token Authentication (CVE-2021-22904)

  - django: potential directory-traversal via uploaded files (CVE-2021-28658)

  - rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS) (CVE-2021-29509)

  - django: Potential directory-traversal via uploaded files (CVE-2021-31542)

  - rubygem-addressable: ReDoS in templates (CVE-2021-32740)

  - django: Potential directory traversal via ``admindocs`` (CVE-2021-33203)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4     addresses (CVE-2021-33571)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Sviatoslav Sydorenko reports :

Open redirect vulnerability -- a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-673b10ed77 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version     3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server     could redirect the browser to a different website. It is caused by a bug in the     `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in     3.7.4. Upgrade your dependency using pip as follows pip install aiohttp >= 3.7.4. If upgrading is not an     option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in     your applications. (CVE-2021-21330)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async HTTP client/server framework, is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

ID	Name	Product	Family	Severity
183140	Ubuntu 18.04 ESM / 20.04 ESM : AIOHTTP vulnerability (USN-5386-1)	Nessus	Ubuntu Local Security Checks	medium
164052	GLSA-202208-19 : aiohttp: Open redirect vulnerability	Nessus	Gentoo Local Security Checks	medium
113196	AIOHTTP < 3.7.4 Open Redirect Vulnerability	Web App Scanning	Component Vulnerability	medium
155377	RHEL 7 : Satellite 6.10 Release (Moderate) (RHSA-2021:4702)	Nessus	Red Hat Local Security Checks	critical
150260	FreeBSD : aiohttp -- open redirect vulnerability (3000acee-c45d-11eb-904f-14dae9d5a9d2)	Nessus	FreeBSD Local Security Checks	medium
147188	Fedora 33 : python-aiohttp (2021-673b10ed77)	Nessus	Fedora Local Security Checks	medium
146895	Debian DSA-4864-1 : python-aiohttp - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2021-21330

medium

Tenable Plugins

medium

medium

medium

critical

medium

medium

medium