#VU50977 Open redirect in aiohttp - CVE-2021-21330

Cybersecurity Help s.r.o.

Published: 2021-02-28

Vulnerability identifier: #VU50977

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-21330

CWE-ID: CWE-601

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
aiohttp
Other software / Other software solutions

Vendor: aio-libs

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

aiohttp: 3.0.0 - 3.7.3

External links
https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25
https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
https://pypi.org/project/aiohttp/
https://www.debian.org/security/2021/dsa-4864

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for aiohttp

Open redirect in IBM Watson Discovery for IBM Cloud Pak for Data

SUSE update for python-aiohttp

Debian update for python-aiohttp

Open redirect in aiohttp

Fedora EPEL 8 update for python-aiohttp

Fedora 33 update for python-aiohttp

Fedora 34 update for python-aiohttp