aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

The remote host is affected by the vulnerability described in GLSA-202408-11 (aiohttp: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in aiohttp. Please review the CVE identifiers referenced     below for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2010 advisory.

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s)     listed in the References section.

    Security fixes:
    * python-pygments: ReDoS in pygments (CVE-2022-40896)
    * python-pycryptodomex: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex     (CVE-2023-52323)
    * satellite: Arithmetic overflow in satellite (CVE-2023-4320)
    * automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
    * jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
    * python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)
    * rubygem-activesupport: File Disclosure of Locally Encrypted Files (CVE-2023-38037)
    * jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
    * python-django: Potential denial of service vulnerability in `django.utils.encoding.uri_to_iri()`     (CVE-2023-41164)
    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
    * python-aiohttp: Numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * python-aiohttp: HTTP request modification (CVE-2023-49081)
    * python-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
    * rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies (CVE-2024-21647)
    * rubygem-audited: Race condition can lead to audit logs being incorrectly attributed to the wrong user     (CVE-2024-22047)
    * python-jinja2: HTML attribute injection when passing user input as keys to xmlattr filter     (CVE-2024-22195)
    * python-aiohttp: Follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python-aiohttp: HTTP request smuggling (CVE-2024-23829)

    Additional Changes:
    This update also fixes several bugs and adds various enhancements.

    Documentation for these changes is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-d5bd6b62e4 advisory.

    Security fix for CVE-2023-49081, CVE-2023-49082.

    Update `python-aiohttp` to 3.9.1.

    Patch `python-pysqeezebox` and `python-wled` so they do not have an implicit dependency on `python-async-     timeout` via `python-aiohttp`.

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.0

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.1

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1878 advisory.

    Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant     framework that enables you to manage repositories and content. It also enables     cloud providers to deliver content and updates to Red Hat Enterprise Linux     (RHEL) instances.

    Security Fix(es):

    * python-django: Potential regular expression denial of service vulnerability in     EmailValidator/URLValidator (CVE-2023-36053)

    * python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

    * python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``     (CVE-2023-41164)

    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

    * python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

    * aiohttp: HTTP request modification (CVE-2023-49081)

    * python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

    * jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

    * aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

    * python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

    * python-aiohttp: http request smuggling (CVE-2024-23829)

    * Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

    * python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

    * aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

    This RHUI update fixes the following bugs:

    * The rhui-installer failed on RHEL 8.10 Beta due to the use of distutils. This has been addressed by     updating to a newer version of ansible-collection-community-crypto which does not use the distutils.

    This RHUI update introduces the following enhancements:

    * A native Ansible module is now used to update the packages on the RHUA server when the RHUI installer is     run for the first time or rerun at any time. This update can be prevented by using the --ignore-newer-     rhel-packages flag on the rhui-installer command line.

    * PulpCore has been updated to version 3.39.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1057 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-eda-controller / ansible-rulebook / ansible-automation-platform-installer: Insecure websocket     used when interacting with EDA server (CVE-2024-1657)

    * python3-django/python39-django: denial-of-service in 'intcomma' template filter (CVE-2024-24680)

    * python3-jinja2/python39-jinja2: HTML attribute injection when passing user input as keys to xmlattr     filter (CVE-2024-22195)

    * python3-aiohttp/python39-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client     (CVE-2023-49082)

    * python3-aiohttp/python39-aiohttp: HTTP request modification (CVE-2023-49081)

    * python3-aiohttp/python39-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

    * python3-pycryptodomex/python39-pycryptodomex: side-channel leakage for OAEP decryption in PyCryptodome     and pycryptodomex (CVE-2023-52323)

    * python3-pillow/python39-pillow: uncontrolled resource consumption when textlength in an ImageDraw     instance operates on a long text argument (CVE-2023-44271)

    * python3-pygments/python39-pygments: ReDoS in pygments (CVE-2022-40896)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes for automation controller:
    * automation-controller has been updated to 4.5.2
    * Enabled HashiCorp Vault LDAP and Userpass authentication (AAP-19842)

    Updates and fixes for automation hub:
    * automation-hub and python3-galaxy-ng/python39-galaxy-ng have been updated to 4.9.1
    * various dependencies have been updated

    Updates and fixes for Event-Driven Ansible:
    * automation-eda-controller has been updated to 1.0.5
    * various dependencies have been updated
    * Fixed a vulnerability that allowed command line injections in user and url fields for projects     (AAP-17778)
    * The communication between the activations and eda-server is now authenticated. Once EDA Controller is     upgraded, all the existing running activations must be restarted with upgraded Decision Environment images     (AAP-17619)
    * Removed 409 conflict error when enabling an activation (AAP-16305)
    * An activation status did not change to failed when an internal error occurred (AAP-16014)
    * Restarting the EDA server can cause activation states to become stale (AAP-13064)
    * RHEL 9.2 activations can not connect to the host (AAP-12929)
    * Added podman_containers_conf_logs_max_size variable to control max log size for podman installations     with a default value of 10 MiB (AAP-12295)

    Note: The 2.4-6 installer/setup should be used to update Event-Driven Ansible to 1.0.5

    Updates and fixes for installer and setup:
    * Added podman_containers_conf_logs_max_size variable for containers.conf to control max log size for     podman installations with a default value of 10 MiB (AAP-19775)
    * EDA debug flag of false will now correctly disable django debug mode (AAP-19577)
    * installer and setup have been updated to 2.4-6

    Additional changes:
    * ansible-builder has been updated to 3.0.1
    * ansible-runner has been updated to 2.3.5
    * ansible-dev-tools has been added

    For more details about the updates and fixes included in this release, refer to the Release Notes.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:0168-1 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes     it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new     HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can     control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of     the request it will be able to modify the request (request smuggling). This issue has been patched in     version 3.9.0. (CVE-2023-49082)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-a04cc349e1 advisory.

    Security fix for CVE-2023-49081, CVE-2023-49082.

    Update `python-aiohttp` to 3.9.1.

    Patch `python-pysqeezebox` and `python-wled` so they do not have an implicit dependency on `python-async-     timeout` via `python-aiohttp`.

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.0

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.1

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-1f06098c71 advisory.

    Security fix for CVE-2023-49081, CVE-2023-49082.

    Update `python-aiohttp` to 3.9.1.

    Patch `python-pysqeezebox` and `python-wled` so they do not have an implicit dependency on `python-async-     timeout` via `python-aiohttp`.

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.0

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.1

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
205141	GLSA-202408-11 : aiohttp: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	medium
199805	RHEL 8 : Satellite 6.15.0 (Important) (RHSA-2024:2010)	Nessus	Red Hat Local Security Checks	high
194520	Fedora 40 : python-aiohttp / python-pysqueezebox / python-wled (2023-d5bd6b62e4)	Nessus	Fedora Local Security Checks	medium
193467	RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)	Nessus	Red Hat Local Security Checks	critical
191748	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Important) (RHSA-2024:1057)	Nessus	Red Hat Local Security Checks	high
189249	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp (SUSE-SU-2024:0168-1)	Nessus	SuSE Local Security Checks	medium
187672	Fedora 39 : python-aiohttp / python-pysqueezebox / python-wled (2023-a04cc349e1)	Nessus	Fedora Local Security Checks	medium
187670	Fedora 38 : python-aiohttp / python-pysqueezebox / python-wled (2023-1f06098c71)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2023-49082

medium

Tenable Plugins

medium

high

medium

critical

high

medium

medium

medium