CVE-2023-49082
aiohttp's ClientSession is vulnerable to CRLF injection via method
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
How to fix CVE-2023-49082
To remediate CVE-2023-49082, upgrade the affected package to a fixed version below.
- —upgrade to 3.7.4-1+deb11u1 or later
- —upgrade to 3.9.0 or later
- —upgrade to e4ae01c2077d2cfa116aa82e4ff6866857f7c466 or later
Is CVE-2023-49082 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.7.4-1+deb11u1
- from 0, < 3.9.0
- from 0, < e4ae01c2077d2cfa116aa82e4ff6866857f7c466 | from 0, < 3.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |