CVE-2023-49082
Denial of Service (DoS) vulnerability in aiohttp (PyPI)
What is CVE-2023-49082 About?
This vulnerability in the vektah gqlparser open-source library allows a remote attacker to trigger a Denial of Service. It occurs through a crafted script directed at the 'parseDirectives' function, which, if exploited, can render the service unavailable. The ease of exploitation depends on the complexity of crafting the specific script.
Affected Software
- aiohttp
- <e4ae01c2077d2cfa116aa82e4ff6866857f7c466
- <3.9.0
Technical Details
The vulnerability is a Denial of Service (DoS) within the 'vektah gqlparser' open-source library. Specifically, a remote attacker can send a specially crafted script or input to the 'parseDirectives' function. This crafted input likely causes an inefficient processing loop, excessive resource consumption (CPU, memory), or an unhandled exception, leading to the application becoming unresponsive or crashing. The attack vector is remote via the application's exposed interface that utilizes the vulnerable 'parseDirectives' function.
What is the Impact of CVE-2023-49082?
Successful exploitation may allow attackers to disrupt service availability, cause performance degradation, or lead to system instability.
What is the Exploitability of CVE-2023-49082?
Exploitation involves sending a specially crafted input to the 'parseDirectives' function. The complexity is moderate, requiring knowledge of the library's input parsing mechanisms. No authentication is typically required, as DoS attacks often target publicly accessible services. Privilege requirements are low. This is a remote vulnerability, and the attacker does not need local access. The primary risk factor is external exposure of the vulnerable 'parseDirectives' function and lack of robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-49082?
About the Fix from Resolved Security
Available Upgrade Options
- aiohttp
- <e4ae01c2077d2cfa116aa82e4ff6866857f7c466 → Upgrade to e4ae01c2077d2cfa116aa82e4ff6866857f7c466
- aiohttp
- <3.9.0 → Upgrade to 3.9.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/aio-libs/aiohttp
- https://github.com/aio-libs/aiohttp/pull/7806/files
- https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
- https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
- https://nvd.nist.gov/vuln/detail/CVE-2023-49082
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A
- https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
- https://osv.dev/vulnerability/GHSA-qvrw-v9rv-5rjx
What are Similar Vulnerabilities to CVE-2023-49082?
Similar Vulnerabilities: CVE-2023-46765 , CVE-2023-46764 , CVE-2023-46763 , CVE-2023-46762 , CVE-2023-46761
