ID CVE-2021-21330
Summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
References
Vulnerable Configurations
  • cpe:2.3:a:aiohttp_project:aiohttp:3.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:aiohttp_project:aiohttp:3.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:aiohttp_project:aiohttp:3.7.0:-:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.7.0:-:*:*:*:*:*:*
  • cpe:2.3:a:aiohttp_project:aiohttp:3.7.0:beta0:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.7.0:beta0:*:*:*:*:*:*
  • cpe:2.3:a:aiohttp_project:aiohttp:3.7.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.7.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:aiohttp_project:aiohttp:3.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:aiohttp_project:aiohttp:3.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:aiohttp_project:aiohttp:3.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:aiohttp_project:aiohttp:3.7.3:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 26-03-2021 - 20:01)
Impact:
Exploitability:
CWE CWE-601
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
Last major update 26-03-2021 - 20:01
Published 26-02-2021 - 03:15
Last modified 26-03-2021 - 20:01
Back to Top