UBUNTU-CVE-2024-23829

Source
https://ubuntu.com/security/CVE-2024-23829
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23829.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-23829
Related
Published
2024-01-29T23:15:00Z
Modified
2024-10-15T14:12:52Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
[none]
Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

References

Affected packages

Ubuntu:Pro:16.04:LTS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/ubuntu/python-aiohttp?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.17.2-1
0.17.4-1
0.17.4-1build1
0.20.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/ubuntu/python-aiohttp?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.3-1build1
2.2.3-2
2.3.6-1

3.*

3.0.1-1
3.0.1-1ubuntu0.1~esm1
3.0.1-1ubuntu0.1~esm4

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/ubuntu/python-aiohttp?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.5.4-1
3.5.4-1build1
3.6.1-1
3.6.2-1
3.6.2-1build1
3.6.2-1ubuntu1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/ubuntu/python-aiohttp?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.4-1
3.7.4-1build2
3.8.1-3
3.8.1-4
3.8.1-4build1
3.8.1-4ubuntu0.2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/ubuntu/python-aiohttp?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.9.1-1build1
3.9.5-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/ubuntu/python-aiohttp?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1
3.9.1-1
3.9.1-1build1
3.9.1-1ubuntu0.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}