Vulnerable Library - aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/7b/b2/2790e4029f228c833a422741319fd512f82543a43d69791e1a4e7c6d367f/aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl
Found in HEAD commit: e82b2499b5aef71ab8d4d1a1c478083f8ec37b7b
Vulnerabilities
| CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (aiohttp version) |
Remediation Possible** |
| CVE-2024-52304 |
Low |
0.0 |
aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl |
Direct |
3.10.11 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-52304
Vulnerable Library - aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/7b/b2/2790e4029f228c833a422741319fd512f82543a43d69791e1a4e7c6d367f/aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl
Dependency Hierarchy:
- ❌ aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl (Vulnerable Library)
Found in HEAD commit: e82b2499b5aef71ab8d4d1a1c478083f8ec37b7b
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or "AIOHTTP_NO_EXTENSIONS" is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52304
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8495-4g3g-x7pr
Release Date: 2024-11-18
Fix Resolution: 3.10.11
Step up your Open Source Security Game with Mend here
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/7b/b2/2790e4029f228c833a422741319fd512f82543a43d69791e1a4e7c6d367f/aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl
Found in HEAD commit: e82b2499b5aef71ab8d4d1a1c478083f8ec37b7b
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/7b/b2/2790e4029f228c833a422741319fd512f82543a43d69791e1a4e7c6d367f/aiohttp-3.10.2-cp310-cp310-macosx_10_9_universal2.whl
Dependency Hierarchy:
Found in HEAD commit: e82b2499b5aef71ab8d4d1a1c478083f8ec37b7b
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or "AIOHTTP_NO_EXTENSIONS" is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52304
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8495-4g3g-x7pr
Release Date: 2024-11-18
Fix Resolution: 3.10.11
Step up your Open Source Security Game with Mend here