CVE-2023-49081
aiohttp's ClientSession is vulnerable to CRLF injection via version
7.2
HIGH
CVSS 3.1
EPSS 0.47%
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
How to fix CVE-2023-49081
To remediate CVE-2023-49081, upgrade the affected package to a fixed version below.
- —upgrade to 3.7.4-1+deb11u1 or later
- —upgrade to 3.9.0 or later
- —upgrade to 1e86b777e61cf4eefc7d92fa57fa19dcc676013b or later
Is CVE-2023-49081 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.7.4-1+deb11u1
- from 0, < 3.9.0
- from 0, < 1e86b777e61cf4eefc7d92fa57fa19dcc676013b | from 0, < 3.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |