aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.1) #5
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
dev-mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/4e/40/bfd114bce3db2f2a8788672dd88f52a801f4499634758729a76fceb585c0/aiohttp-3.5.3-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4e9b73402ae50afb3e06e2b6415b13c2f6491f8b
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the
aiohttp.web_middlewares.normalize_path_middlewaremiddleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid usingaiohttp.web_middlewares.normalize_path_middlewarein your applications.Publish Date: 2021-02-26
URL: CVE-2021-21330
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v6wp-4m6f-gcjg
Release Date: 2021-02-26
Fix Resolution: 3.7.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: