An open redirect vulnerability has been discovered in aiohttp.
Package | dev-python/aiohttp on all architectures |
---|---|
Affected versions | < 3.7.4 |
Unaffected versions | >= 3.7.4 |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
A bug in aiohttp.web_middlewares.normalize_path_middleware creates an open redirect vulnerability.
An attacker use this vulnerability to craft a link that, while appearing to be a link to an aiohttp-based website, redirects users to an arbitrary attacker-controlled URL.
There is no known workaround at this time.
All aiohttp users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.7.4"
Release date
August 10, 2022
Latest revision
August 10, 2022: 1
Severity
low
Exploitable
remote
Bugzilla entries