CVE-2021-21330 (Medium) detected in aiohttp-3.6.1-cp37-cp37m-manylinux1_x86_64.whl - autoclosed

[mend-for-github-com]

CVE-2021-21330 - Medium Severity Vulnerability

Vulnerable Library - aiohttp-3.6.1-cp37-cp37m-manylinux1_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/76/96/3b0682d7d63d7ffb30d02e8a0d9242d6413affb7af5514eab27974e91585/aiohttp-3.6.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /docker/cortx-deploy/cortx-control/python_requirements.txt

Path to vulnerable library: /docker/cortx-deploy/cortx-control/python_requirements.txt,/docker/cortx-deploy/python_requirements.txt,/docker/cortx-deploy/cortx-data/python_requirements.txt,/scripts/third-party-rpm/python_requirements.txt,/docker/cortx-deploy/cortx-rgw/python_requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-3.6.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: d7799fa3a6201447e75923b0a1eb82ea03a9594d

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

Publish Date: 2021-02-26

URL: CVE-2021-21330

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v6wp-4m6f-gcjg

Release Date: 2021-02-26

Fix Resolution: v3.7.4

---

⛑️ Automatic Remediation is available for this issue

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @shailesh-vaidya for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[cortx-admin]

For the convenience of the Seagate development team, this issue has been mirrored in a private Seagate Jira Server: https://jts.seagate.com/browse/CORTX-31809. Note that community members will not be able to access that Jira server but that is not a problem since all activity in that Jira mirror will be copied into this GitHub issue.