rpm package
opensuse/python-aiohttp&distro=openSUSE Leap 15.5
pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.5
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-52304 | — | < 3.9.3-150400.10.27.1 | 3.9.3-150400.10.27.1 | Nov 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai | ||
| CVE-2024-42367 | — | < 3.9.3-150400.10.24.1 | 3.9.3-150400.10.24.1 | Aug 9, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director | ||
| CVE-2024-30251 | — | < 3.9.3-150400.10.30.1 | 3.9.3-150400.10.30.1 | May 2, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process | ||
| CVE-2024-27306 | — | < 3.9.3-150400.10.21.1 | 3.9.3-150400.10.21.1 | Apr 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. | ||
| CVE-2024-23334 | — | < 3.9.3-150400.10.14.1 | 3.9.3-150400.10.14.1 | Jan 29, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether | ||
| CVE-2024-23829 | — | < 3.9.3-150400.10.14.1 | 3.9.3-150400.10.14.1 | Jan 29, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to pr | ||
| CVE-2023-49081 | — | < 3.8.5-150400.10.8.1 | 3.8.5-150400.10.8.1 | Nov 30, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability | ||
| CVE-2023-49082 | — | < 3.8.6-150400.10.11.1 | 3.8.6-150400.10.11.1 | Nov 29, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerabilit | ||
| CVE-2023-47627 | — | < 3.9.3-150400.10.14.1 | 3.9.3-150400.10.14.1 | Nov 14, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt whe | ||
| CVE-2023-47641 | — | < 3.6.0-150100.3.12.1 | 3.6.0-150100.3.12.1 | Nov 14, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-En | ||
| CVE-2023-28859 | — | < 3.9.3-150400.10.18.4 | 3.9.3-150400.10.18.4 | Mar 26, 2023 | redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutio | ||
| CVE-2023-28858 | — | < 3.9.3-150400.10.18.4 | 3.9.3-150400.10.18.4 | Mar 26, 2023 | redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT |
- CVE-2024-52304Nov 18, 2024affected < 3.9.3-150400.10.27.1fixed 3.9.3-150400.10.27.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai
- CVE-2024-42367Aug 9, 2024affected < 3.9.3-150400.10.24.1fixed 3.9.3-150400.10.24.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
- CVE-2024-30251May 2, 2024affected < 3.9.3-150400.10.30.1fixed 3.9.3-150400.10.30.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process
- CVE-2024-27306Apr 18, 2024affected < 3.9.3-150400.10.21.1fixed 3.9.3-150400.10.21.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.
- CVE-2024-23334Jan 29, 2024affected < 3.9.3-150400.10.14.1fixed 3.9.3-150400.10.14.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether
- CVE-2024-23829Jan 29, 2024affected < 3.9.3-150400.10.14.1fixed 3.9.3-150400.10.14.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to pr
- CVE-2023-49081Nov 30, 2023affected < 3.8.5-150400.10.8.1fixed 3.8.5-150400.10.8.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability
- CVE-2023-49082Nov 29, 2023affected < 3.8.6-150400.10.11.1fixed 3.8.6-150400.10.11.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerabilit
- CVE-2023-47627Nov 14, 2023affected < 3.9.3-150400.10.14.1fixed 3.9.3-150400.10.14.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt whe
- CVE-2023-47641Nov 14, 2023affected < 3.6.0-150100.3.12.1fixed 3.6.0-150100.3.12.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-En
- CVE-2023-28859Mar 26, 2023affected < 3.9.3-150400.10.18.4fixed 3.9.3-150400.10.18.4
redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutio
- CVE-2023-28858Mar 26, 2023affected < 3.9.3-150400.10.18.4fixed 3.9.3-150400.10.18.4
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT