All errata/sisyphus/ALT-PU-2024-17385-2
ALT-PU-2024-17385-2

Package update python3-module-aiohttp in branch sisyphus

Version3.9.5-alt1
Task#347306
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (6)

BDU:2024-04194
HIGH7.5

Уязвимость HTTP-клиента aiohttp, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-05-29Modified: 2025-02-05
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-03458
MEDIUM6.1

Уязвимость метода web.static(..., show_index=True) HTTP-клиента aiohttp, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность системы

Published: 2025-03-27Modified: 2025-08-11
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
CVE-2024-27306
MEDIUM6.1

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.

Published: 2024-04-18Modified: 2025-11-03
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2024-30251
HIGH7.5

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

Published: 2024-05-02Modified: 2025-11-03
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-5m98-qgg9-wh84
HIGH7.5

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

Published: 2024-05-03Modified: 2025-11-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-7gpw-8wmc-pm8g
MEDIUM6.1

aiohttp Cross-site Scripting vulnerability on index pages for static file handling

Published: 2024-04-18Modified: 2025-11-04
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References