发布时间: 2024年11月19日
修改时间: 2025年1月4日
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | None | |
| Attack Vector | Network | Network |
| CVSS评分 | 8.7 | 7.5 |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| Scope | Unchanged | |
| Integrity | None | |
| User Interaction | None | None |
| Availability | High |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-4165 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch. | 2024年11月23日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | python-aiohttp | Unaffected |
| KY3.5.2 | python-aiohttp | Unaffected |
| KY3.5.3 | python-aiohttp | Unaffected |
| V6 | python-aiohttp | Unaffected |
