Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) reachable #1

Open
dev-mend-for-github-com bot opened this issue Oct 27, 2024 · 0 comments
Open

aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) reachable #1

dev-mend-for-github-com bot opened this issue Oct 27, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@dev-mend-for-github-com
Copy link

dev-mend-for-github-com bot commented Oct 27, 2024
edited
Loading

Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20241205192444_NEOWPL/python_IHKSVC/202412051924441/env/lib/python3.7/site-packages/aiohttp-3.5.3.dist-info

Found in HEAD commit: 5e380d5913a9bd669480cbd6f5a5b0a48e8c14c5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (aiohttp version) Remediation Possible** Reachability
CVE-2021-21330 Low 3.1 aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl Direct 3.7.4

Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-21330

Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20241205192444_NEOWPL/python_IHKSVC/202412051924441/env/lib/python3.7/site-packages/aiohttp-3.5.3.dist-info

Dependency Hierarchy:

  • aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 5e380d5913a9bd669480cbd6f5a5b0a48e8c14c5

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

dvpwa/sqli/middlewares.py (Application)
  -> aiohttp-3.5.3/aiohttp/__init__.py (Extension)
   -> aiohttp-3.5.3/aiohttp/http.py (Extension)
    -> ❌ aiohttp-3.5.3/aiohttp/http_websocket.py (Vulnerable Component)

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

Publish Date: 2021-02-26

URL: CVE-2021-21330

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v6wp-4m6f-gcjg

Release Date: 2021-02-26

Fix Resolution: 3.7.4

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules
@dev-mend-for-github-com dev-mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Oct 27, 2024
@dev-mend-for-github-com dev-mend-for-github-com bot changed the title aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) unreachable Oct 27, 2024
@dev-mend-for-github-com dev-mend-for-github-com bot changed the title aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) unreachable aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) reachable Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants