aioHTTP < 3.10.11 Request Smuggling

info Nessus Plugin ID 211645

Synopsis

A Python library installed on the remote host is affected by a request smuggling vulnerability.

Description

The version of aioHTTP installed on the remote host is prior to 3.10.11. It is, therefore, affected by a request smuggling vulnerability. aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to aioHTTP version 3.10.11 or later.

See Also

http://www.nessus.org/u?344bc4e9

Plugin Details

Severity: Info

ID: 211645

File Name: aiohttp_CVE-2024-52304.nasl

Version: 1.3

Type: local

Agent: unix

Family: Misc.

Published: 11/20/2024

Updated: 11/22/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Info

Base Score: 0

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:N

CVSS Score Source: CVE-2024-52304

CVSS v3

Risk Factor: Info

Base Score: 0

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Vulnerability Information

CPE: cpe:/a:python:aiohttp

Required KB Items: Host/nix/packages, Host/nix/Python/Packages/Enumerated

Exploit Ease: No known exploits are available

Patch Publication Date: 11/18/2024

Vulnerability Publication Date: 11/18/2024

Reference Information

CVE: CVE-2024-52304

IAVB: 2024-B-0180