QID 980643
QID 980643: Python (pip) Security Update for aiohttp (GHSA-v6wp-4m6f-gcjg)
Security update has been released for aiohttp to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
_What kind of vulnerability is it? Who is impacted?_
Open redirect vulnerability a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware.
Solution
_Has the problem been patched? What versions should users upgrade to?_
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
[`pip install aiohttp >= 3.7.4`]Workaround:
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
[`pip install aiohttp >= 3.7.4`]Workaround:
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
Vendor References
- GHSA-v6wp-4m6f-gcjg -
github.com/advisories/GHSA-v6wp-4m6f-gcjg
CVEs related to QID 980643
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-v6wp-4m6f-gcjg | aiohttp |
github.com/advisories/GHSA-v6wp-4m6f-gcjg |