VDB

CVE-2021-21330

CVE-2021-21330 PUBLISHED

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.

EPSS 0.49% · 66.1th percentile

Risk Scores

EPSS Score
0.49%
66.1th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:18.04:LTSpython-aiohttp0, 2.2.3-1build1, 2.2.3-2
Ubuntu:Pro:20.04:LTSpython-aiohttp3.5.4-1, 3.6.1-1, 3.5.4-1build1

Timeline

  • Feb 26, 2021 CVE Published
  • Feb 26, 2021 PoC Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›