CVE-2023-47627
Request Smuggling vulnerability in aiohttp (PyPI)
What is CVE-2023-47627 About?
The HTTP parser in AIOHTTP is vulnerable to request smuggling due to numerous header parsing problems, but only when `AIOHTTP_NO_EXTENSIONS` is enabled. Attackers can manipulate HTTP requests to bypass security controls or access unauthorized content. Exploitation can be complex, requiring careful crafting of HTTP requests.
Affected Software
- aiohttp
- <3.8.6
- <d5c12ba890557a575c313bb3017910d7616fce3d
Technical Details
The AIOHTTP HTTP parser, specifically when AIOHTTP_NO_EXTENSIONS is enabled, exhibits multiple flaws in header parsing that facilitate request smuggling. These include: 1. Bad parsing of Content-Length values: The parser incorrectly interprets Content-Length values by using int which handles +, -, and underscores, violating RFC 9110 (e.g., Content-Length: -0 becomes '0'). This can lead to misinterpretation of request body length. 2. Improper handling of NUL, CR, and LF in header values: The parser does not reject or replace these forbidden characters as required by RFC 9110, allowing an attacker to inject them into header values. 3. Improper stripping of whitespace before colon in HTTP headers: The parser strips whitespace before the colon (e.g., Content-Length : 1) instead of rejecting the request, contrary to RFC 9112.
What is the Impact of CVE-2023-47627?
Successful exploitation may allow attackers to bypass security controls, access unauthorized resources, cache poisoning, and other client-side attacks.
What is the Exploitability of CVE-2023-47627?
Exploitation is of high complexity, requiring an in-depth understanding of HTTP protocol specifics and how AIOHTTP parses headers. No authentication is directly required to send the malicious requests. No special privileges are needed. This is a remote vulnerability, requiring the attacker to send specially crafted HTTP requests to the server. A crucial prerequisite for exploitation is that AIOHTTP_NO_EXTENSIONS must be enabled or a prebuilt wheel must not be used, forcing the use of the vulnerable parser. The risk factor is significantly increased in proxy or load balancer environments where request smuggling can be particularly effective.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-47627?
About the Fix from Resolved Security
Available Upgrade Options
- aiohttp
- <d5c12ba890557a575c313bb3017910d7616fce3d → Upgrade to d5c12ba890557a575c313bb3017910d7616fce3d
- aiohttp
- <3.8.6 → Upgrade to 3.8.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/
- https://github.com/aio-libs/aiohttp
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM/
- https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
- https://osv.dev/vulnerability/GHSA-gfw2-4jvh-wgfg
- https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d
- https://nvd.nist.gov/vuln/detail/CVE-2023-47627
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U
What are Similar Vulnerabilities to CVE-2023-47627?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2023-38546 , CVE-2023-29491 , CVE-2022-38690 , CVE-2021-33190
