CVE-2024-52303 (High) detected in aiohttp-3.10.10-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl - autoclosed #2451
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
CVE-2024-52303 - High Severity Vulnerability
Vulnerable Library - aiohttp-3.10.10-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/3d/3d/734375ec31e3e238c67dae358991db6e3177207e07d09be90036974e46f9/aiohttp-3.10.10-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /mac-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info,/tmp/ws-ua_20241107131315_RNGEVD/python_MHHUVM/202411071314551/env/lib/python3.8/site-packages/aiohttp-3.10.10.dist-info
Dependency Hierarchy:
Found in HEAD commit: fda2a37b98507f17a864087fe28ef6b2dcf1984c
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
Publish Date: 2024-11-18
URL: CVE-2024-52303
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-27mf-ghqm-j3j8
Release Date: 2024-11-18
Fix Resolution: 3.10.11
The text was updated successfully, but these errors were encountered: