<p>Upgrade <code>Debian:11</code> <code>python-aiohttp</code> to version 3.7.4-1 or higher.</p>

Open Redirect Affecting python-aiohttp package, versions <3.7.4-1

Threat Intelligence

1.03% (85^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN11-PYTHONAIOHTTP-1079289
published 26 Feb 2021
disclosed 26 Feb 2021

Report a new vulnerability Found a mistake?

Introduced: 26 Feb 2021

CVE-2021-21330 Open this link in a new tab CWE-601 Open this link in a new tab

How to fix?

Upgrade Debian:11 python-aiohttp to version 3.7.4-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-aiohttp package and not the python-aiohttp package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Changed

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

None

Open Redirect Affecting python-aiohttp package, versions <3.7.4-1

Severity

Snyk's Security Team recommends NVD's CVSS assessment