CVE-2024-52304 (Low) detected in aiohttp-3.10.10-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl - autoclosed #2450
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-52304 - Low Severity Vulnerability
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/3d/3d/734375ec31e3e238c67dae358991db6e3177207e07d09be90036974e46f9/aiohttp-3.10.10-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /mac-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info
Dependency Hierarchy:
Found in HEAD commit: 17aabd6cda404f8a0f1f33c694e32291b3cfc316
Found in base branch: master
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or "AIOHTTP_NO_EXTENSIONS" is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52304
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-8495-4g3g-x7pr
Release Date: 2024-11-18
Fix Resolution: 3.10.11
The text was updated successfully, but these errors were encountered: