Skip to content

aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) #5

New issue
New issue
Open
Open
aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1)#5
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
bot
opened on Jun 19, 2024
Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (aiohttp version) Remediation Possible**
CVE-2021-21330 Low 3.1 aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl Direct 3.7.4

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-21330

Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b

Found in base branch: master

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

Publish Date: 2021-02-26

URL: CVE-2021-21330

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v6wp-4m6f-gcjg

Release Date: 2021-02-26

Fix Resolution: 3.7.4

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions