1217181 – (CVE-2023-47627) VUL-0: CVE-2023-47627: python-aiohttp: numerous problems with header parsing which could lead to request smuggling

Bug 1217181 (CVE-2023-47627) - VUL-0: CVE-2023-47627: python-aiohttp: numerous problems with header parsing which could lead to request smuggling

Summary: VUL-0: CVE-2023-47627: python-aiohttp: numerous problems with header parsing ...

Status:	IN_PROGRESS

Alias:	CVE-2023-47627

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	John Paul Adrian Glaubitz
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/385157/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-47627:5.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-15 12:58 UTC by SMASH SMASH
Modified:	2024-06-10 10:40 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-15 12:58:41 UTC

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47627
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Comment 1 Gianluca Gabrielli 2023-11-15 12:59:55 UTC

Affected packages:
 - SUSE:ALP:Source:Standard:1.0/python-aiohttp
 - SUSE:SLE-15-SP4:Update/python-aiohttp
 - SUSE:SLE-15-SP1:Update/python-aiohttp

Already Fixed:
 - openSUSE:Factory/python-aiohttp

Upstream patch: https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d

Comment 9 Maintenance Automation 2024-02-21 12:30:11 UTC

SUSE-SU-2024:0577-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1217174, 1217181, 1217782, 1219341, 1219342
CVE References: CVE-2023-47627, CVE-2023-47641, CVE-2024-23334, CVE-2024-23829
Sources used:
openSUSE Leap 15.4 (src): python-aiohttp-3.9.3-150400.10.14.1, python-time-machine-2.13.0-150400.9.3.1
openSUSE Leap 15.5 (src): python-aiohttp-3.9.3-150400.10.14.1
Python 3 Module 15-SP5 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.