View all vulnerabilities

CVE-2023-49082

aiohttp's ClientSession is vulnerable to CRLF injection via method

Description

### Summary
Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.


### Details
The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.

Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.

### PoC
A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

### Impact
If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

### Workaround
If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
5.3
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Versions
aiohttp < 3.9.0
Severity
Medium
Medium
Medium
Ecosystem
Python
Publish Date
November 27, 2023
Modified Date
September 3, 2024