aiohttp 3.8.1 vulnerability #602
Comments
|
I mention it because I read that third parties might already "mitigating" the effect through their code. It would be more helpful maybe if I was investigating the code base myself to see if there is a possible way of triggering the bug. Depandabot and then snyk informed me about this in another project which was leading to py-stellar-base packages. I am not saying that developers here are not aware, but since there is no reference to it but might be affecting the software, I though it's worth mentioning. |
|
Thank you, it appears that GHSA-rwqr-c348-m5wr is a false positive for now, I'll follow up on it. |
|
This advisory was withdrawn on Jun 29, 2022, so I closed this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
... can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.
References
aio-libs/aiohttp#6772
https://www.cve.org/CVERecord?id=CVE-2022-33124
https://cwe.mitre.org/data/definitions/400.html
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:U
https://app.snyk.io/vuln/SNYK-PYTHON-AIOHTTP-2934978
The text was updated successfully, but these errors were encountered: