CVE-2023-49082— aiohttp 注入漏洞

aiohttp's ClientSession is vulnerable to CRLF injection via method

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

对CRLF序列的转义处理不恰当(CRLF注入)

aiohttp 注入漏洞

aiohttp是一个开源的用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。 aiohttp 3.9.0之前版本存在注入漏洞，该漏洞源于不正确的验证使攻击者可以修改 HTTP 请求（例如插入新标头），甚至在攻击者控制 HTTP 方法的情况下可以创建新的 HTTP 请求。

N/A

N/A