aiohttp-3.10.10-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 2 vulnerabilities (highest severity is: 7.5) #172
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/c1/e4/afba7327da4d932da8c6e29aecaf855f9d52dace53ac15bfc8030a246f1b/aiohttp-3.10.10-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /server/intelligence-service/.ws-temp-CTLXSQ-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/intelligence-service-ndLTr3N6-py3.13/lib/python3.13/site-packages/aiohttp-3.10.10.dist-info
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - aiohttp-3.10.10-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/c1/e4/afba7327da4d932da8c6e29aecaf855f9d52dace53ac15bfc8030a246f1b/aiohttp-3.10.10-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /server/intelligence-service/.ws-temp-CTLXSQ-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/intelligence-service-ndLTr3N6-py3.13/lib/python3.13/site-packages/aiohttp-3.10.10.dist-info
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
Publish Date: 2024-11-18
URL: CVE-2024-52303
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-27mf-ghqm-j3j8
Release Date: 2024-11-18
Fix Resolution: 3.10.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - aiohttp-3.10.10-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/c1/e4/afba7327da4d932da8c6e29aecaf855f9d52dace53ac15bfc8030a246f1b/aiohttp-3.10.10-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /server/intelligence-service/.ws-temp-CTLXSQ-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/intelligence-service-ndLTr3N6-py3.13/lib/python3.13/site-packages/aiohttp-3.10.10.dist-info
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or "AIOHTTP_NO_EXTENSIONS" is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52304
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8495-4g3g-x7pr
Release Date: 2024-11-18
Fix Resolution: 3.10.11
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: