SB2024050618 - Denial of service in aiohttp
Published: May 6, 2024
Security Bulletin ID
SB2024050618
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Infinite loop (CVE-ID: CVE-2024-30251)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can send a specially crafted POST request, consume all available system resources and cause denial of service conditions.
Remediation
Install update from vendor's website.
References
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84
- https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
- https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
- https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
- http://www.openwall.com/lists/oss-security/2024/05/02/4