CVE-2023-47627

HIGH Year: 2023
CVSS v3 Score
7.5
High
Weakness Type
CWE-444
View all →

Vulnerability Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

Related Vulnerabilities

CVE-2017-12165

HIGH
CVSS:7.5(High)

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

CWE-4442017

CVE-2017-7656

HIGH
CVSS:7.5(High)

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line ...

CWE-4442017

CVE-2019-1020012

HIGH
CVSS:7.5(High)

parse-server before 3.4.1 allows DoS after any POST to a volatile class.

CWE-4442019

CVE-2019-16276

HIGH
CVSS:7.5(High)

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

CWE-4442019

CVE-2019-16785

HIGH
CVSS:7.5(High)

Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize ...

CWE-4442019

CVE-2019-16786

HIGH
CVSS:7.5(High)

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header i...

CWE-4442019