{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52304", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-06T19:00:26.396Z", "datePublished": "2024-11-18T20:12:48.612Z", "dateUpdated": "2024-11-21T14:07:39.914Z"}, "containers": {"cna": {"title": "aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr"}, {"name": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71", "tags": ["x_refsource_MISC"], "url": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71"}], "affected": [{"vendor": "aio-libs", "product": "aiohttp", "versions": [{"version": "< 3.10.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-18T20:12:48.612Z"}, "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue."}], "source": {"advisory": "GHSA-8495-4g3g-x7pr", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "python", "product": "aiohttp", "cpes": ["cpe:2.3:a:python:aiohttp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.10.11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-19T15:38:44.530052Z", "id": "CVE-2024-52304", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T14:07:39.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-19T15:38:44.530052Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python:aiohttp:*:*:*:*:*:*:*:*"], "vendor": "python", "product": "aiohttp", "versions": [{"status": "affected", "version": "0", "lessThan": "3.10.11", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-19T15:38:37.921Z"}}], "cna": {"title": "aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions", "source": {"advisory": "GHSA-8495-4g3g-x7pr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "aio-libs", "product": "aiohttp", "versions": [{"status": "affected", "version": "< 3.10.11"}]}], "references": [{"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr", "name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71", "name": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-18T20:12:48.612Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52304", "state": "PUBLISHED", "dateUpdated": "2024-11-21T14:07:39.914Z", "dateReserved": "2024-11-06T19:00:26.396Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-18T20:12:48.612Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BB56D96-249C-46E4-8C28-D29970BE7898", "versionEndExcluding": "3.10.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue."}, {"lang": "es", "value": "aiohttp es un framework de trabajo de cliente/servidor HTTP asincr\u00f3nico para asyncio y Python. Antes de la versi\u00f3n 3.10.11, el analizador de Python analiza incorrectamente las nuevas l\u00edneas en las extensiones de fragmentos, lo que puede provocar vulnerabilidades de contrabando de solicitudes en determinadas condiciones. Si se instala una versi\u00f3n Python pura de aiohttp (es decir, sin las extensiones C habituales) o se habilita `AIOHTTP_NO_EXTENSIONS`, un atacante puede ejecutar un ataque de contrabando de solicitudes para eludir determinados cortafuegos o protecciones de proxy. La versi\u00f3n 3.10.11 soluciona el problema."}], "id": "CVE-2024-52304", "lastModified": "2025-08-15T17:36:18.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-18T21:15:06.500", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:0753", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ee-minimal-rhel8:2.15.13-6", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0753", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ee-minimal-rhel9:2.18.1-4", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:1101", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ee-minimal-rhel8:2.18.2-3", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2025-02-05T00:00:00Z"}, {"advisory": "RHSA-2025:1101", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ee-minimal-rhel9:2.18.2-4", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2025-02-05T00:00:00Z"}, {"advisory": "RHSA-2025:0722", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "ansible-automation-platform-24/lightspeed-rhel8-operator:2.4-33", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2025-01-27T00:00:00Z"}, {"advisory": "RHSA-2024:10766", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "automation-controller-0:4.6.3-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2025:0340", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "python3.11-aiohttp-0:3.10.11-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2025-01-15T00:00:00Z"}, {"advisory": "RHSA-2025:0341", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "ansible-automation-platform-25/lightspeed-rhel8:2.5.250107-1", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2025-01-15T00:00:00Z"}, {"advisory": "RHSA-2024:10766", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package": "automation-controller-0:4.6.3-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2025:0340", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package": "python3.11-aiohttp-0:3.10.11-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date": "2025-01-15T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite:6.16::el8", "package": "python-aiohttp-0:3.10.11-1.el8pc", "product_name": "Red Hat Satellite 6.16 for RHEL 8", "release_date": "2024-12-19T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite_capsule:6.16::el8", "package": "python-aiohttp-0:3.10.11-1.el8pc", "product_name": "Red Hat Satellite 6.16 for RHEL 8", "release_date": "2024-12-19T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite:6.16::el9", "package": "python-aiohttp-0:3.10.11-1.el9pc", "product_name": "Red Hat Satellite 6.16 for RHEL 9", "release_date": "2024-12-19T00:00:00Z"}, {"advisory": "RHSA-2024:11574", "cpe": "cpe:/a:redhat:satellite_capsule:6.16::el9", "package": "python-aiohttp-0:3.10.11-1.el9pc", "product_name": "Red Hat Satellite 6.16 for RHEL 9", "release_date": "2024-12-19T00:00:00Z"}], "bugzilla": {"description": "aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions", "id": "2327130", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327130"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.", "A flaw was found in the aiohttp package. The Python parser parses newlines in chunk extensions incorrectly, which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed, for example, without the usual C extensions, or `AIOHTTP_NO_EXTENSIONS` is enabled, an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections."], "name": "CVE-2024-52304", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "aap-cloud-metrics-collector-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/de-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-25/ansible-dev-tools-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Fix deferred", "package_name": "rhelai1/bootc-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Fix deferred", "package_name": "rhelai1/bootc-azure-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Fix deferred", "package_name": "rhelai1/instructlab-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/instructlab-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Will not fix", "package_name": "python-aiohttp", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-11-18T20:12:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-52304\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-52304\nhttps://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform uses secure, encrypted HTTPS connections over TLS 1.2 to reduce the risk of smuggling attacks by preventing the injection of ambiguous or malformed requests between components. The environment employs IPS/IDS and antimalware solutions to detect and block malicious code while ensuring consistent interpretation of HTTP requests across network layers, mitigating request/response inconsistencies. Event logs are collected and analyzed for centralization, correlation, monitoring, alerting, and retention, enabling the detection of malformed or suspicious HTTP traffic. Static code analysis and peer reviews enforce strong input validation and error handling to ensure all user inputs adhere to HTTP protocol specifications.", "threat_severity": "Moderate"}