CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #2329
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
CVE-2023-49082 - Medium Severity Vulnerability
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /dev-requirements.txt
Path to vulnerable library: /dev-requirements.txt,/tmp/ws-scm/gns3-server
Dependency Hierarchy:
Found in HEAD commit: fda2a37b98507f17a864087fe28ef6b2dcf1984c
Found in base branches: 2.2, master
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
Publish Date: 2023-11-29
URL: CVE-2023-49082
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qvrw-v9rv-5rjx
Release Date: 2023-11-29
Fix Resolution: 3.9.0
The text was updated successfully, but these errors were encountered: