CVE-2024-21503
Improper Validation vulnerability in black (PyPI)
What is CVE-2024-21503 About?
This vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python, arises from improper validation. It allows an attacker to modify or create HTTP requests (e.g., insert headers, smuggle requests) if they can control the HTTP method or version. Exploitation is conditional on attacker control over specific request fields.
Affected Software
- black
- <24.3.0
- <f00093672628d212b8965a8993cee8bedf5fe9b8
Technical Details
The vulnerability in aiohttp stems from a lack of strict validation in how the framework processes HTTP requests, specifically concerning the HTTP method and version fields. If an attacker gains control over the HTTP method field, they can inject arbitrary data or additional headers, effectively modifying the request's intent. More critically, if the attacker can control the HTTP version field, this improper validation can lead to HTTP Request Smuggling. This occurs when the front-end (or proxy) and back-end servers interpret the request differently, allowing an attacker to 'smuggle' a new, unauthenticated request within a legitimate one. This is because aiohttp's parser incorrectly handles malformed or manipulated method/version fields, leading to misinterpretation of the request boundaries or content.
What is the Impact of CVE-2024-21503?
Successful exploitation may allow attackers to bypass security controls, gain unauthorized access to resources, perform cache poisoning, or compromise other users' sessions through request smuggling.
What is the Exploitability of CVE-2024-21503?
Exploitation complexity is moderate to high, as it requires the attacker to control specific parts of the HTTP request, namely the HTTP method or version. No authentication or specific privileges are required on the server side to trigger this, as it's an input validation flaw. The attack is remote, involving crafting and sending malformed HTTP requests. A key constraint is the prerequisite of controlling the HTTP method or version, which might imply a previous compromise or a specific network configuration. The likelihood of exploitation increases in applications that construct HTTP requests dynamically based on user input or operate in environments with multiple proxies (front-end/back-end architecture).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21503?
Available Upgrade Options
- black
- <f00093672628d212b8965a8993cee8bedf5fe9b8 → Upgrade to f00093672628d212b8965a8993cee8bedf5fe9b8
- black
- <24.3.0 → Upgrade to 24.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/psf/black/releases/tag/24.3.0
- https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273
- https://nvd.nist.gov/vuln/detail/CVE-2024-21503
- https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8
- https://github.com/psf/black/releases/tag/24.3.0
- https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273
- https://github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml
- https://osv.dev/vulnerability/GHSA-fj7x-q9j7-g6q6
- https://github.com/psf/black
- https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8
What are Similar Vulnerabilities to CVE-2024-21503?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2023-43644 , CVE-2023-37902 , CVE-2022-41407 , CVE-2022-38708
