CVE-2023-49081
CRLF Injection vulnerability in aiohttp (PyPI)
What is CVE-2023-49081 About?
This vulnerability is a CRLF Injection in aiohttp that can lead to Request Smuggling, occurring when an attacker controls the HTTP version parameter and passes an array to it. This allows an attacker to modify HTTP requests or create new ones, which is a high-impact issue. While requiring specific conditions, its exploitation is moderately complex for an attacker who meets those prerequisites.
Affected Software
Technical Details
The vulnerability arises from improper validation within a library, specifically when handling the HTTP version parameter and the Connection header. If an attacker can control the HTTP version (including its type) and can provide an unvalidated array as the version parameter, the library bypasses internal validation. This allows the attacker to inject Carriage Return (CR) and Line Feed (LF) characters into the HTTP request. Consequently, an attacker can modify existing HTTP headers, inject new headers, or even terminate the current request and start a new, completely different HTTP request, leading to HTTP Request Smuggling. This requires the Connection header to also be passed to the headers parameter.
What is the Impact of CVE-2023-49081?
Successful exploitation may allow attackers to manipulate HTTP requests, bypass security controls, poison web caches, or perform various types of attacks including cross-site scripting (XSS) and cache-based attacks.
What is the Exploitability of CVE-2023-49081?
Exploitation requires specific conditions: the attacker must control the HTTP version of the request (including its type) and the Connection header must be passed to the headers parameter. No authentication is explicitly required, and the attack is remote. The complexity is moderate, relying on the ability to pass an unvalidated array as the version parameter. The likelihood of exploitation increases if user input for the version parameter is not strictly validated to ensure it is a string.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-49081?
About the Fix from Resolved Security
Available Upgrade Options
- aiohttp
- <3.9.0 → Upgrade to 3.9.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml
- https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
- https://github.com/aio-libs/aiohttp/pull/7835/files
- https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA
- https://github.com/aio-libs/aiohttp/pull/7835/files
- https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
- https://nvd.nist.gov/vuln/detail/CVE-2023-49081
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A
What are Similar Vulnerabilities to CVE-2023-49081?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2021-33190 , CVE-2022-24345 , CVE-2023-38848 , CVE-2024-21332
