CVE-2021-21330

NameCVE-2021-21330
Descriptionaiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4864-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-aiohttp (PTS)buster, buster (security)3.5.1-1+deb10u1fixed
bullseye3.7.4-1fixed
bookworm3.8.4-1fixed
sid, trixie3.9.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-aiohttpsourcestretch(not affected)
python-aiohttpsourcebuster3.5.1-1+deb10u1DSA-4864-1
python-aiohttpsource(unstable)3.7.4-1

Notes

[stretch] - python-aiohttp <not-affected> (Vulnerable code introduced later)
https://github.com/aio-libs/aiohttp/issues/5497
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25
https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b
Search for package or bug name: Reporting problems