CVE-2021-21330
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
EPSS 0.49% · 66.1th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:18.04:LTS | python-aiohttp | 0, 2.2.3-1build1, 2.2.3-2 |
| Ubuntu:Pro:20.04:LTS | python-aiohttp | 3.5.4-1, 3.6.1-1, 3.5.4-1build1 |
Exploit Intelligence
- CIRCL seen: CVE-2021-21330 (circl-sighting)
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg (circl)
- https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b (circl)
- https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25 (circl)
- https://pypi.org/project/aiohttp/ (circl)
- DSA-4864 (circl)
- FEDORA-2021-673b10ed77 (circl)
- FEDORA-2021-902c1b07c9 (circl)
- GLSA-202208-19 (circl)
Timeline
- Feb 26, 2021 CVE Published
- Feb 26, 2021 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-21330 third-party-advisory
- https://github.com/aio-libs/aiohttp/issues/5497 third-party-advisory
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg third-party-advisory
- https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25 third-party-advisory
- https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b third-party-advisory
- https://pypi.org/project/aiohttp/ third-party-advisory
- https://ubuntu.com/security/notices/USN-5386-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-21330 third-party-advisory