CVE-2021-21330
Published: 26 February 2021
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
Notes
Author | Note |
---|---|
sbeattie | vuln introduced in upstream commit 8c44b2189d24c1c9f94d6733b5038761451fb3bc (v1.3.0) |
Priority
Status
Package | Release | Status |
---|---|---|
python-aiohttp Launchpad, Ubuntu, Debian |
jammy |
Not vulnerable
(3.7.4-1)
|
lunar |
Not vulnerable
(3.7.4-1)
|
|
impish |
Not vulnerable
(3.7.4-1)
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.7.4-1)
|
|
xenial |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(3.7.4-1)
|
|
bionic |
Released
(3.0.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
focal |
Released
(3.6.2-1ubuntu1+esm1)
Available with Ubuntu Pro |
|
mantic |
Not vulnerable
(3.7.4-1)
|
|
Patches: upstream: https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21330
- https://github.com/aio-libs/aiohttp/issues/5497
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
- https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25
- https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b
- https://pypi.org/project/aiohttp/
- https://ubuntu.com/security/notices/USN-5386-1
- NVD
- Launchpad
- Debian