aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.

The remote Ubuntu 18.04 ESM / 20.04 ESM host has a package installed that is affected by a vulnerability as referenced in the USN-5386-1 advisory.

    Jelmer Vernooij and Beast Glatisant discovered that AIOHTTP incorrectly handled certain URLs, leading to     an open redirect attack. A remote attacker could possibly use this issue to perform phishing attacks.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-19 (aiohttp: Open redirect vulnerability)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version     3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server     could redirect the browser to a different website. It is caused by a bug in the     `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in     3.7.4. Upgrade your dependency using pip as follows pip install aiohttp >= 3.7.4. If upgrading is not an     option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in     your applications. (CVE-2021-21330)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the AIOHTTP server hosted on the remote host is prior to version 3.7.4. It is, therefore, affected by a open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the clients browser to a different website.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4702 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):
    * python-ecdsa: Unexpected and undocumented exceptions during signature decoding (CVE-2019-14853)
    * python-ecdsa: DER encoding is not being verified in signatures (CVE-2019-14859)
    * rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id     (CVE-2019-25025)
    * rake: OS Command Injection via egrep in Rake::FileList (CVE-2020-8130)
    * candlepin: guava - local information disclosure via temporary directory created with unsafe permissions     (CVE-2020-8908)
    * PyYAML: incomplete fix for CVE-2020-1747 (CVE-2020-14343)
    * tfm-rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema (CVE-2020-26247)
    * tfm-rubygem-foreman_azure_rm: Azure compute resource secret_key leak to authenticated users     (CVE-2021-3413)
    * foreman: possible man-in-the-middle in smart_proxy realm_freeipa (CVE-2021-3494)
    * foreman: BMC controller credential leak via API (CVE-2021-20256)
    * python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware (CVE-2021-21330)
    * rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack     (CVE-2021-22885)
    * tfm-rubygem-actionpack: rails: Possible Denial of Service vulnerability in Action Dispatch     (CVE-2021-22902)
    * tfm-rubygem-actionpack: Possible DoS Vulnerability in Action Controller Token Authentication     (CVE-2021-22904)
    * python-django: potential directory-traversal via uploaded files (CVE-2021-28658)
    * tfm-rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS) (CVE-2021-29509)
    * python-django: Potential directory-traversal via uploaded files (CVE-2021-31542)
    * tfm-rubygem-addressable: ReDoS in templates (CVE-2021-32740)
    * python-django: Potential directory traversal via ``admindocs`` (CVE-2021-33203)
    * python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)
    * python-django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros     in IPv4 addresses (CVE-2021-33571)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    * Updated Content Management backend with Pulp 3 for increased performance, scale and reliability. MongoDB     is also removed from Satellite
    * Adds support for Azure GovCloud
    * Provides Satellite 6.10 Server support for Satellite 6.9 Capsules
    * Improves support for Satellite Air Gapped and Disconnected environments
    * Adds Ansible Collections content type to support disconnected environments
    * Foreman_webhooks introduced to replace foreman_hooks
    * Introduces UI to manage Personal Access Tokens
    * Adds ability to configure Pulp repository synchronization timeouts
    * Support for Convert2RHEL
    * Provides advanced options when registering a host
    * Supports remediation playbook signatures from console.redhat.com
    * Red Hat Insights Plugin replaced through new integration within Satellite
    * Ability to visually represent systems registered and in sync with Insights
    * Ability to verify if required packages are installed as part of pre-upgrade check
    * Ability to unset environment variables when installer is running
    * Ability to turn backups on and off when cleaning up tasks from database

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Sviatoslav Sydorenko reports :

Open redirect vulnerability -- a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-673b10ed77 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version     3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server     could redirect the browser to a different website. It is caused by a bug in the     `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in     3.7.4. Upgrade your dependency using pip as follows pip install aiohttp >= 3.7.4. If upgrading is not an     option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in     your applications. (CVE-2021-21330)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async HTTP client/server framework, is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

ID	Name	Product	Family	Severity
183140	Ubuntu 18.04 ESM / 20.04 ESM : AIOHTTP vulnerability (USN-5386-1)	Nessus	Ubuntu Local Security Checks	medium
164052	GLSA-202208-19 : aiohttp: Open redirect vulnerability	Nessus	Gentoo Local Security Checks	medium
113196	AIOHTTP < 3.7.4 Open Redirect Vulnerability	Web App Scanning	Component Vulnerability	medium
155377	RHEL 7 : Satellite 6.10 Release (Moderate) (RHSA-2021:4702)	Nessus	Red Hat Local Security Checks	critical
150260	FreeBSD : aiohttp -- open redirect vulnerability (3000acee-c45d-11eb-904f-14dae9d5a9d2)	Nessus	FreeBSD Local Security Checks	medium
147188	Fedora 33 : python-aiohttp (2021-673b10ed77)	Nessus	Fedora Local Security Checks	medium
146895	Debian DSA-4864-1 : python-aiohttp - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2021-21330

medium

Tenable Plugins

medium

medium

medium

critical

medium

medium

medium