CVE-2024-52304 in aiohttpinformazioni

Riassunto

di MITRE • 18/11/2024

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsabile

GitHub M

Prenotare

06/11/2024

Divulgazione

18/11/2024

Moderazione

accettato

CPE

pronto

EPSS

0.00576

KEV

no

Attività

molto basso

Fonti

Interested in the pricing of exploits?

See the underground prices here!