VDB
BDU%3A2024-02174
BDU%3A2024-02174
PUBLISHED
CVSS 3.4000000953674316 LOW
Уязвимость HTTP-клиента aiohttp, связанная с недостатками обработки заголовков Content-Length (CL) и Transfer-Encoding (TE), позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)
Risk Scores
CVSS 3.1
3.4000000953674316
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| aio-libs | aiohttp | < 3.8.0 |
| ООО «Ред Софт», Сообщество свободного программного обеспечения | РЕД ОС (запись в едином реестре российских программ №3751), aiohttp |
Exploit Intelligence
- https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html (circl)
- CIRCL seen: CVE-2023-47641 (circl-sighting)
- https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-python3-aiohttp-cve-2023-49081-cve-2023-49082-cve-2023-47627-cve-2023-372/?sphrase_id=349646 (circl)
- https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 (circl)
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j (circl)
- https://github.com/aio-libs/aiohttp/releases/tag/v3.8.0 (circl)
- https://docs.aiohttp.org/en/stable/changes.html (circl)
- http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ (circl)
Timeline
- Nov 14, 2023 CVE Published
- Sep 13, 2024 CVE Updated
- Jan 19, 2026 PoC Published
References
- https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-python3-aiohttp-cve-2023-49081-cve-2023-49082-cve-2023-47627-cve-2023-372/?sphrase_id=349646 url
- https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 url
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j url
- https://github.com/aio-libs/aiohttp/releases/tag/v3.8.0 advisory
- https://docs.aiohttp.org/en/stable/changes.html advisory
- http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ advisory
- https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html url