pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/p11/ALT-PU-2024-6120/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

154 lines
7.2 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20246120",
"Version": "oval:org.altlinux.errata:def:20246120",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-6120: package `python3-module-aiohttp` update to version 3.9.1-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-6120",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-6120",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-08273",
"RefURL": "https://bdu.fstec.ru/vul/2023-08273",
"Source": "BDU"
},
{
"RefID": "BDU:2023-08455",
"RefURL": "https://bdu.fstec.ru/vul/2023-08455",
"Source": "BDU"
},
{
"RefID": "BDU:2024-02173",
"RefURL": "https://bdu.fstec.ru/vul/2024-02173",
"Source": "BDU"
},
{
"RefID": "CVE-2023-47627",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-47627",
"Source": "CVE"
},
{
"RefID": "CVE-2023-49081",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-49081",
"Source": "CVE"
},
{
"RefID": "CVE-2023-49082",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-49082",
"Source": "CVE"
}
],
"Description": "This update upgrades python3-module-aiohttp to version 3.9.1-alt1. \nSecurity Fix(es):\n\n * BDU:2023-08273: Уязвимость HTTP-клиента aiohttp, связанная с непринятием мер по нейтрализации последовательностей CRLF, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-08455: Уязвимость HTTP-клиента aiohttp, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю изменить HTTP-запрос или создать новый HTTP-запрос\n\n * BDU:2024-02173: Уязвимость HTTP-клиента aiohttp, связанная с недостатками обработки заголовков HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * CVE-2023-47627: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.\n\n * CVE-2023-49081: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.\n\n * CVE-2023-49082: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-04-08"
},
"Updated": {
"Date": "2024-04-08"
},
"BDUs": [
{
"ID": "BDU:2023-08273",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"CWE": "CWE-20, CWE-93, CWE-444",
"Href": "https://bdu.fstec.ru/vul/2023-08273",
"Impact": "Low",
"Public": "20231029"
},
{
"ID": "BDU:2023-08455",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"CWE": "CWE-20",
"Href": "https://bdu.fstec.ru/vul/2023-08455",
"Impact": "High",
"Public": "20231126"
},
{
"ID": "BDU:2024-02173",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-444",
"Href": "https://bdu.fstec.ru/vul/2024-02173",
"Impact": "High",
"Public": "20231006"
}
],
"CVEs": [
{
"ID": "CVE-2023-47627",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-47627",
"Impact": "High",
"Public": "20231114"
},
{
"ID": "CVE-2023-49081",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"CWE": "NVD-CWE-Other",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-49081",
"Impact": "Low",
"Public": "20231130"
},
{
"ID": "CVE-2023-49082",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-49082",
"Impact": "Low",
"Public": "20231129"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20246120001",
"Comment": "python3-module-aiohttp is earlier than 0:3.9.1-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20246120002",
"Comment": "python3-module-aiohttp-tests is earlier than 0:3.9.1-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink