Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #621

Closed
1 task
Tracked by #715
mend-for-github-com bot opened this issue Nov 29, 2023 · 1 comment · Fixed by #717
Closed
1 task
Tracked by #715

CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #621

mend-for-github-com bot opened this issue Nov 29, 2023 · 1 comment · Fixed by #717
Labels
good first issue Good for newcomers Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link
Contributor

mend-for-github-com bot commented Nov 29, 2023
edited
Loading

CVE-2023-49082 - Medium Severity Vulnerability

Vulnerable Libraries - aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/90/89/b332d6d2b27d84a876baba1405c6c51b85d30dd474878ef35646f0021a1c/aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy:

  • aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl (Vulnerable Library)
aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /dev-requirements.txt

Path to vulnerable library: /dev-requirements.txt

Dependency Hierarchy:

  • aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 7ad68d5c4c4825f902056eedb38cd852ffb71d1a

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Publish Date: 2023-11-29

URL: CVE-2023-49082

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qvrw-v9rv-5rjx

Release Date: 2023-11-29

Fix Resolution: 3.9.0

  • Check this box to open an automated fix PR
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Nov 29, 2023
@github-actions github-actions bot added the untriaged Need triage label Nov 29, 2023
@saimedhi saimedhi added good first issue Good for newcomers and removed untriaged Need triage labels Nov 29, 2023
@saimedhi saimedhi mentioned this issue Dec 14, 2023
Closed
@mend-for-github-com mend-for-github-com bot changed the title CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Dec 15, 2023
@mend-for-github-com mend-for-github-com bot changed the title CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Jan 19, 2024
@mend-for-github-com mend-for-github-com bot changed the title CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl CVE-2023-49082 (Medium) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Mar 22, 2024
@saimedhi saimedhi mentioned this issue Apr 2, 2024
Closed
5 tasks
@saimedhi
Copy link
Collaborator

saimedhi commented Apr 2, 2024

To upgrade aiohttp to 3.9.0 requires Python >=3.8. But opensearch-py currently supports Python 3.6 and 3.7 versions as well.

@saimedhi saimedhi mentioned this issue Apr 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
1 participant
@saimedhi