DirectorySecurity Advisories
Sign In
Security Advisories

CGA-hc89-w3pf-6cxj

Published

Last updated

https://images.chainguard.dev/security/CGA-hc89-w3pf-6cxj
Package

py3-aiohttp

Latest Update
Fixed
Fixed Version

3.10.11-r0

Aliases
  • CVE-2024-52304
  • GHSA-8495-4g3g-x7pr

Severity

Unknown

Summary

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

Description

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.


Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images