CVE-2021-21330 (Medium) detected in aiohttp-0.16.3.tar.gz

[mend-for-github-com]

CVE-2021-21330 - Medium Severity Vulnerability

Vulnerable Library - aiohttp-0.16.3.tar.gz

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/69/f0/dc5959f1b2f641c40357e66a516214ef7d2d13a5ce3cdb044d78f7c57f39/aiohttp-0.16.3.tar.gz

Path to dependency file: /folder2/requirements.txt

Path to vulnerable library: /folder2/requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-0.16.3.tar.gz (Vulnerable Library)

Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a

Found in base branch: master

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

Publish Date: 2021-02-26

URL: CVE-2021-21330

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v6wp-4m6f-gcjg

Release Date: 2021-02-26

Fix Resolution: v3.7.4

---

⛑️ Automatic Remediation is available for this issue