aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1536 advisory.

  - Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)

  - python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - aiohttp: HTTP request modification (CVE-2023-49081)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  - python-aiohttp: http request smuggling (CVE-2024-23829)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1878 advisory.

  - python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator     (CVE-2023-36053)

  - python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

  - python-django: Potential denial of service vulnerability in  ``django.utils.encoding.uri_to_iri()``     (CVE-2023-41164)

  - python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - aiohttp: HTTP request modification (CVE-2023-49081)

  - aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

  - python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  - python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

  - python-aiohttp: http request smuggling (CVE-2024-23829)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

  - python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1640 advisory.

  - golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests     (CVE-2023-39326)

  - GitPython: Blind local file inclusion (CVE-2023-41040)

  - axios: exposure of confidential data stored in cookies (CVE-2023-45857)

  - python-twisted: disordered HTTP pipeline response in twisted.web (CVE-2023-46137)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

  - golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  - python-aiohttp: http request smuggling (CVE-2024-23829)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

  - python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1057 advisory.

  - pygments: ReDoS in pygments (CVE-2022-40896)

  - python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a     long text argument (CVE-2023-44271)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - aiohttp: HTTP request modification (CVE-2023-49081)

  - aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

  - pycryptodome: side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex (CVE-2023-52323)

  - ansible automation platform: Insecure websocket used when interacting with EDA server (CVE-2024-1657)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0577-1 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP     has numerous problems with header parsing, which could lead to request smuggling. This parser is only used     when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in     commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There     are no known workarounds for these issues. (CVE-2023-47627)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of     aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol.
    HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are     present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison     other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a     configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend.
    As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore     this header and will parse Content-Length. The impact of this vulnerability is that it is possible to     bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is     present an Open Redirect an attacker could combine it to redirect random users to another website and log     the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to     upgrade. There are no known workarounds for this vulnerability. (CVE-2023-47641)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a     web server and configuring static routes, it is necessary to specify the root path for static files.
    Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links     outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check     if reading a file is within the root directory. This can lead to directory traversal vulnerabilities,     resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
    Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this     issue. (CVE-2024-23334)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts     of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error     handling to robustly match frame boundaries of proxies in order to protect against injection of additional     requests. Additionally, validation could trigger exceptions that were not handled consistently with     processing of other malformed input. Being more lenient than internet standards require could, depending     on deployment environment, assist in request smuggling. The unhandled exception could cause excessive     resource consumption on the application server and/or its logging facilities. This vulnerability exists     due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability. (CVE-2024-23829)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-5130a73b00 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP     has numerous problems with header parsing, which could lead to request smuggling. This parser is only used     when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in     commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There     are no known workarounds for these issues. (CVE-2023-47627)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-bc1f081ca0 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP     has numerous problems with header parsing, which could lead to request smuggling. This parser is only used     when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in     commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There     are no known workarounds for these issues. (CVE-2023-47627)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194355	RHEL 8 : Satellite 6.14.3 Async Security Update (Moderate) (RHSA-2024:1536)	Nessus	Red Hat Local Security Checks	high
193467	RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)	Nessus	Red Hat Local Security Checks	high
193086	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:1640)	Nessus	Red Hat Local Security Checks	high
191748	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Important) (RHSA-2024:1057)	Nessus	Red Hat Local Security Checks	high
190879	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp, python-time-machine (SUSE-SU-2024:0577-1)	Nessus	SuSE Local Security Checks	high
186628	Fedora 39 : llhttp / python-aiohttp / uxplay (2023-5130a73b00)	Nessus	Fedora Local Security Checks	high
186627	Fedora 38 : llhttp / python-aiohttp / uxplay (2023-bc1f081ca0)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2023-47627

high

Tenable Plugins

high

high

high

high

high

high

high