What is CVE-2023-37276?

CVE-2023-37276 is a medium-severity vulnerability in Aio-libs Aiohttp, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 5.3/10. Published 2023-07-19.

How severe is CVE-2023-37276?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Aio-libs Aiohttp

CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default c…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.061 (91.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Aio-libs Aiohttp — versions < 3.8.5

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w (x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 (x_refsource_MISC)
https://hackerone.com/reports/2001873 (x_refsource_MISC)
https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-37276?: CVE-2023-37276 is a medium-severity vulnerability in Aio-libs Aiohttp, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 5.3/10. Published 2023-07-19.
How severe is CVE-2023-37276?: Medium severity. CVSS v3 base score is 5.3 out of 10.