1184745 – (CVE-2021-21330) VUL-0: CVE-2021-21330: python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware

Bug 1184745 (CVE-2021-21330) - VUL-0: CVE-2021-21330: python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware

Summary: VUL-0: CVE-2021-21330: python-aiohttp: Open redirect in aiohttp.web_middlewar...

Status:	RESOLVED FIXED

Alias:	CVE-2021-21330

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	John Paul Adrian Glaubitz
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/278672/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-21330:8.2:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-04-14 14:36 UTC by Alexandros Toptsoglou
Modified:	2023-09-06 20:55 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2021-04-14 14:36:56 UTC

CVE-2021-21330

A flaw was found in python-aiohttp. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

References:

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1933364
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21330
http://www.debian.org/security/-1/dsa-4864
https://www.debian.org/security/2021/dsa-4864
https://access.redhat.com/security/cve/CVE-2021-21330
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21330
https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25
https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/
https://pypi.org/project/aiohttp/

Comment 1 Alexandros Toptsoglou 2021-04-14 14:37:59 UTC

Tracked as affected SLE15-Sp1 and Leap 15.2 Factory is already in version 3.7.4

Comment 3 Swamp Workflow Management 2021-04-26 10:17:12 UTC

SUSE-SU-2021:1313-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1184745
CVE References: CVE-2021-21330
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    python-aiohttp-3.4.4-3.6.1
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    python-aiohttp-3.4.4-3.6.1
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    python-aiohttp-3.4.4-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 John Paul Adrian Glaubitz 2021-07-26 08:45:19 UTC

This has been fixed.

Comment 5 OBSbugzilla Bot 2023-09-06 20:55:08 UTC

This is an autogenerated message for OBS integration:
This bug (1184745) was mentioned in
https://build.opensuse.org/request/show/1109336 Factory / python-aiohttp