This repository has been archived by the owner on Feb 7, 2024. It is now read-only.
CVE-2021-21330 (Medium) detected in aiohttp-3.6.1-cp37-cp37m-manylinux1_x86_64.whl - autoclosed #863
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
needs-attention
CVE-2021-21330 - Medium Severity Vulnerability
Vulnerable Library - aiohttp-3.6.1-cp37-cp37m-manylinux1_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/76/96/3b0682d7d63d7ffb30d02e8a0d9242d6413affb7af5514eab27974e91585/aiohttp-3.6.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /docker/cortx-deploy/cortx-control/python_requirements.txt
Path to vulnerable library: /docker/cortx-deploy/cortx-control/python_requirements.txt,/docker/cortx-deploy/python_requirements.txt,/docker/cortx-deploy/cortx-data/python_requirements.txt,/scripts/third-party-rpm/python_requirements.txt,/docker/cortx-deploy/cortx-rgw/python_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: d7799fa3a6201447e75923b0a1eb82ea03a9594d
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the
aiohttp.web_middlewares.normalize_path_middleware
middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid usingaiohttp.web_middlewares.normalize_path_middleware
in your applications.Publish Date: 2021-02-26
URL: CVE-2021-21330
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6wp-4m6f-gcjg
Release Date: 2021-02-26
Fix Resolution: v3.7.4
⛑️ Automatic Remediation is available for this issue
The text was updated successfully, but these errors were encountered: