FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

aiohttp -- open redirect vulnerability

Affected packages
py36-aiohttp < 3.7.4
py37-aiohttp < 3.7.4
py38-aiohttp < 3.7.4
py39-aiohttp < 3.7.4

Details

VuXML ID 3000acee-c45d-11eb-904f-14dae9d5a9d2
Discovery 2021-02-25
Entry 2021-06-03

Sviatoslav Sydorenko reports:

Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

References

CVE Name CVE-2021-21330
URL https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
URL https://nvd.nist.gov/vuln/detail/CVE-2021-21330