5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
19.8%
aiohttp is vulnerable to Request Smuggling. The vulnerability exists due to improper HTTP method validation in the __init__
function of client_reqrep.py
. This allows an attacker to modify the HTTP request, such as inserting a new header or even creating a new HTTP request if the attacker can control the HTTP method (GET, POST, etc.). This ultimately leads to HTTP request smuggling.
gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
github.com/aio-libs/aiohttp/pull/7806/files
github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
lists.fedoraproject.org/archives/list/[email protected]/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA/
lists.fedoraproject.org/archives/list/[email protected]/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A/
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
19.8%