Fluid Attacks Database

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable show_index if unable to upgrade.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-aiohttp	=3.10.0-1 \|\| =3.10.1-1 \|\| =3.10.10-1 \|\| =3.10.10-2 \|\| =3.10.11-1 \|\| =3.10.3-1 \|\| =3.10.3-2 \|\| =3.10.3-3 \|\| =3.10.4-1 \|\| =3.10.5-1 \|\| =3.10.6-1 \|\| =3.10.8-1 \|\| =3.11.15-1 \|\| =3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1 \|\| =3.8.4-1 \|\| =3.8.4-1+deb12u1 \|\| =3.8.5-1 \|\| =3.8.6-1 \|\| =3.9.1-1 \|\| =3.9.5-1	-
debian 11	python-aiohttp	=3.7.4-1 \|\| >=0 <3.7.4-1+deb11u1	3.7.4-1+deb11u1
debian 13	python-aiohttp	>=0 <3.9.5-1	3.9.5-1
debian 14	python-aiohttp	>=0 <3.9.5-1	3.9.5-1
pypi	aiohttp	>=0 <3.9.4	3.9.4

Aliases

1. CVE-2024-273062. NVD-2024-273063. OSV-DEBIAN-2024-273064. OSV-2024-273065. GHSA-7gpw-8wmc-pm8g6. GCVE-2024-273067. SECURITY-TRACKER-CVE-2024-273068. lists.debian.org

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g2. https://github.com/aio-libs/aiohttp/pull/83193. https://github.com/aio-libs/aiohttp/pull/8319/files4. https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff193975. https://lists.fedoraproject.org/archives/list/[email protected]/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP6. https://lists.fedoraproject.org/archives/list/[email protected]/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U7. https://lists.fedoraproject.org/archives/list/[email protected]/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3