{"containers": {"cna": {"affected": [{"product": "aiohttp", "vendor": "aio-libs", "versions": [{"status": "affected", "version": "< 3.7.4"}]}], "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-11T00:11:43", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/aiohttp/"}, {"name": "DSA-4864", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4864"}, {"name": "FEDORA-2021-673b10ed77", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/"}, {"name": "FEDORA-2021-902c1b07c9", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/"}, {"name": "GLSA-202208-19", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-19"}], "source": {"advisory": "GHSA-v6wp-4m6f-gcjg", "discovery": "UNKNOWN"}, "title": "Open redirect vulnerability in aiohttp", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21330", "STATE": "PUBLIC", "TITLE": "Open redirect vulnerability in aiohttp"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "aiohttp", "version": {"version_data": [{"version_value": "< 3.7.4"}]}}]}, "vendor_name": "aio-libs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg", "refsource": "CONFIRM", "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg"}, {"name": "https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b", "refsource": "MISC", "url": "https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b"}, {"name": "https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25", "refsource": "MISC", "url": "https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25"}, {"name": "https://pypi.org/project/aiohttp/", "refsource": "MISC", "url": "https://pypi.org/project/aiohttp/"}, {"name": "DSA-4864", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4864"}, {"name": "FEDORA-2021-673b10ed77", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/"}, {"name": "FEDORA-2021-902c1b07c9", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/"}, {"name": "GLSA-202208-19", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-19"}]}, "source": {"advisory": "GHSA-v6wp-4m6f-gcjg", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.080Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/aiohttp/"}, {"name": "DSA-4864", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4864"}, {"name": "FEDORA-2021-673b10ed77", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/"}, {"name": "FEDORA-2021-902c1b07c9", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/"}, {"name": "GLSA-202208-19", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-19"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21330", "datePublished": "2021-02-26T02:15:15", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.080Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*", "matchCriteriaId": "85039D6B-2E1A-4679-8345-BD3804144EAC", "versionEndExcluding": "3.7.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications."}, {"lang": "es", "value": "aiohttp es un framework cliente/servidor HTTP asincr\u00f3nico para asyncio y Python.&#xa0;En aiohttp versiones anteriores a 3.7.4, se presenta una vulnerabilidad de redireccionamiento abierto.&#xa0;Un enlace dise\u00f1ado malicioso en un servidor web basado en aiohttp podr\u00eda redireccionar el navegador a un sitio web diferente.&#xa0;Es causado por un error en el middleware \"aiohttp.web_middlewares.normalize_path_middleware\".&#xa0;Este problema de seguridad ha sido corregido en versi\u00f3n 3.7.4.&#xa0;Actualice su dependencia usando pip de la siguiente manera \"pip install aiohttp versiones posteriores o incluyendo a 3.7.4\".&#xa0;Si la actualizaci\u00f3n no es una opci\u00f3n para usted, una soluci\u00f3n alternativa puede ser evitar el uso de \"aiohttp.web_middlewares.normalize_path_middleware\" en sus aplicaciones"}], "id": "CVE-2021-21330", "lastModified": "2023-11-22T17:09:17.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-02-26T03:15:12.840", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/aiohttp/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-19"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4864"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4702", "cpe": "cpe:/a:redhat:satellite:6.10::el7", "package": "python-aiohttp-0:3.7.4-1.el7pc", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:4702", "cpe": "cpe:/a:redhat:satellite_capsule:6.10::el7", "package": "python-aiohttp-0:3.7.4-1.el7pc", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2021-11-16T00:00:00Z"}], "bugzilla": {"description": "python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware", "id": "1933364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933364"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "verified"}, "cwe": "CWE-601", "details": ["aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.", "An open redirect flaw was found in python-aiohttp. This flaw allows a remote, unauthenticated attacker to trick users into visiting a malicious webpage, disguised as a legitimate webpage and affects applications using the normalize_path_middleware functionality. The highest threat from this vulnerability is to confidentiality and integrity."], "name": "CVE-2021-21330", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "aiohttp", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "python-aiohttp", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "package_name": "aiohttp", "product_name": "Red Hat Ansible Tower 3"}], "public_date": "2021-02-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21330\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21330\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg"], "statement": "Red Hat Satellite version 6.7 onward (mostly pulp part) does ship an affected version of aiohttp, however, is not vulnerable since the product code does not use the normalize_path_middleware function, which the attacker may use for an attack. We may update the python-aiohttp dependency in a future release.", "threat_severity": "Moderate", "upstream_fix": "python-aiohttp 3.7.4"}