Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (aiohttp version) |
Remediation Possible** |
| CVE-2021-21330 |
 Low |
3.1 |
aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl |
Direct |
3.7.4 |
✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-21330
Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.
Publish Date: 2021-02-26
URL: CVE-2021-21330
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6wp-4m6f-gcjg
Release Date: 2021-02-26
Fix Resolution: 3.7.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the
aiohttp.web_middlewares.normalize_path_middlewaremiddleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid usingaiohttp.web_middlewares.normalize_path_middlewarein your applications.Publish Date: 2021-02-26
URL: CVE-2021-21330
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v6wp-4m6f-gcjg
Release Date: 2021-02-26
Fix Resolution: 3.7.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.