{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52304", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-06T19:00:26.396Z", "datePublished": "2024-11-18T20:12:48.612Z", "dateUpdated": "2024-11-21T14:07:39.914Z"}, "containers": {"cna": {"title": "aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr"}, {"name": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71", "tags": ["x_refsource_MISC"], "url": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71"}], "affected": [{"vendor": "aio-libs", "product": "aiohttp", "versions": [{"version": "< 3.10.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-18T20:12:48.612Z"}, "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue."}], "source": {"advisory": "GHSA-8495-4g3g-x7pr", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "python", "product": "aiohttp", "cpes": ["cpe:2.3:a:python:aiohttp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.10.11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-19T15:38:44.530052Z", "id": "CVE-2024-52304", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T14:07:39.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-19T15:38:44.530052Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python:aiohttp:*:*:*:*:*:*:*:*"], "vendor": "python", "product": "aiohttp", "versions": [{"status": "affected", "version": "0", "lessThan": "3.10.11", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-19T15:38:37.921Z"}}], "cna": {"title": "aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions", "source": {"advisory": "GHSA-8495-4g3g-x7pr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "aio-libs", "product": "aiohttp", "versions": [{"status": "affected", "version": "< 3.10.11"}]}], "references": [{"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr", "name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71", "name": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-18T20:12:48.612Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52304", "state": "PUBLISHED", "dateUpdated": "2024-11-21T14:07:39.914Z", "dateReserved": "2024-11-06T19:00:26.396Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-18T20:12:48.612Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue."}, {"lang": "es", "value": "aiohttp es un framework de trabajo de cliente/servidor HTTP asincr\u00f3nico para asyncio y Python. Antes de la versi\u00f3n 3.10.11, el analizador de Python analiza incorrectamente las nuevas l\u00edneas en las extensiones de fragmentos, lo que puede provocar vulnerabilidades de contrabando de solicitudes en determinadas condiciones. Si se instala una versi\u00f3n Python pura de aiohttp (es decir, sin las extensiones C habituales) o se habilita `AIOHTTP_NO_EXTENSIONS`, un atacante puede ejecutar un ataque de contrabando de solicitudes para eludir determinados cortafuegos o protecciones de proxy. La versi\u00f3n 3.10.11 soluciona el problema."}], "id": "CVE-2024-52304", "lastModified": "2024-11-21T14:15:17.813", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "LOW"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-11-18T21:15:06.500", "references": [{"source": "[email protected]", "url": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71"}, {"source": "[email protected]", "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "[email protected]", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10766", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "automation-controller-0:4.6.3-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10766", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package": "automation-controller-0:4.6.3-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite:6.16::el8", "package": "python-aiohttp-0:3.10.11-1.el8pc", "product_name": "Red Hat Satellite 6.16 for RHEL 8", "release_date": "2024-12-19T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite_capsule:6.16::el8", "package": "python-aiohttp-0:3.10.11-1.el8pc", "product_name": "Red Hat Satellite 6.16 for RHEL 8", "release_date": "2024-12-19T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite:6.16::el9", "package": "python-aiohttp-0:3.10.11-1.el9pc", "product_name": "Red Hat Satellite 6.16 for RHEL 9", "release_date": "2024-12-19T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite_capsule:6.16::el9", "package": "python-aiohttp-0:3.10.11-1.el9pc", "product_name": "Red Hat Satellite 6.16 for RHEL 9", "release_date": "2024-12-19T00:00:00Z"}], "bugzilla": {"description": "aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions", "id": "2327130", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327130"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.", "A flaw was found in the aiohttp package. The Python parser parses newlines in chunk extensions incorrectly, which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed, for example, without the usual C extensions, or `AIOHTTP_NO_EXTENSIONS` is enabled, an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections."], "name": "CVE-2024-52304", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed:0.2", "fix_state": "Affected", "package_name": "openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "aap-cloud-metrics-collector-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/de-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-25/ansible-dev-tools-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python-aiohttp", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/bootc-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/bootc-azure-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/instructlab-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/instructlab-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Affected", "package_name": "python-aiohttp", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-11-18T20:12:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-52304\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-52304\nhttps://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr"], "threat_severity": "Moderate"}