CVE-2024-52304

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-52304

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52304.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-52304

Aliases

GHSA-8495-4g3g-x7pr

Related

Published

2024-11-18T21:15:06Z

Modified

2024-11-19T22:51:10.102970Z

Summary

[none]

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

References

Affected packages

Debian:11 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.4-1

3.7.4-2

3.8.1-1

3.8.1-2

3.8.1-3

3.8.1-4

3.8.1-5

3.8.3-1

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

3.10.10-1

3.10.10-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

3.10.10-1

3.10.10-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

3.10.10-1

3.10.10-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/aio-libs/aiohttp

Affected ranges

Type: GIT
Repo: https://github.com/aio-libs/aiohttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

259edc369075de63e6f3a4eaade058c62af0df71

Affected versions

0.*

0.15.2

0.8.2

1.*

1.3.0

2.*

2.0.0

2.0.0rc1

2.0.1

2.0.2

2.0.3

2.0.3-1

2.0.4

2.0.5

2.0.6

2.0.7

4v0.*

4v0.21.6

v.*

v.0.6.5

v0.*

v0.1

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.16.6

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.19.0

v0.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.21.0a0

v0.21.0a1

v0.21.0a2

v0.21.1

v0.21.2

v0.21.3

v0.21.4

v0.21.5

v0.21.6

v0.22.0

v0.22.0b0

v0.22.0b1

v0.22.0b2

v0.22.0b3

v0.22.0b4

v0.22.0b5

v0.22.0b6

v0.22.1

v0.22.2

v0.22.3

v0.22.4

v0.22.5

v0.3

v0.4

v0.4.1

v0.4.2

v0.5.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.8.0

v0.8.1

v0.8.3

v0.8.4

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.2.0

v2.*

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.3.0

v2.3.0a1

v2.3.0a2

v2.3.0a3

v2.3.0a4

v2.3.1

v2.3.10

v2.3.1a1

v2.3.2

v2.3.2b1

v2.3.2b2

v2.3.2b3

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.0b0

v3.0.0b1

v3.0.0b2

v3.0.0b3

v3.0.0b4

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.10.0

v3.10.0b0

v3.10.0b1

v3.10.0rc0

v3.10.1

v3.10.10

v3.10.11rc0

v3.10.2

v3.10.3

v3.10.4

v3.10.5

v3.10.6

v3.10.6rc0

v3.10.6rc1

v3.10.6rc2

v3.10.7

v3.10.8

v3.10.9

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.1b1

v3.3.2

v3.3.2a0

v3.4.0

v3.4.0a0

v3.4.0a3

v3.4.0b1

v3.4.0b2

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.5.0

v3.5.0a1

v3.5.0b1

v3.5.0b2

v3.5.0b3

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.6.0

v3.6.0a0

v3.6.0a1

v3.6.0a10

v3.6.0a11

v3.6.0a12

v3.6.0a2

v3.6.0a3

v3.6.0a4

v3.6.0a5

v3.6.0a6

v3.6.0a7

v3.6.0a8

v3.6.0a9

v3.6.0b0

v3.6.1

v3.6.1b3

v3.6.1b4

v3.6.2

v3.6.2a1

v3.6.2a2

v3.7.0

v3.7.0b0

v3.7.0b1

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.4.post0

v3.8.0

v3.8.1

v3.8.2

v3.8.2a0

v3.8.3

v3.9.0

v3.9.0b0

v3.9.0b1

v3.9.0rc0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

v3.9.5