CVE-2021-21330

Name	CVE-2021-21330
Description	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-4864-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-aiohttp (PTS)	stretch	1.2.0-1	fixed
	buster (security), buster, buster (lts)	3.5.1-1+deb10u1	fixed
	bullseye	3.7.4-1	fixed
	bookworm	3.8.4-1	fixed
	sid, trixie	3.10.10-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
python-aiohttp	source	stretch	(not affected)
python-aiohttp	source	buster	3.5.1-1+deb10u1	DSA-4864-1
python-aiohttp	source	(unstable)	3.7.4-1

Notes

[stretch] - python-aiohttp <not-affected> (Vulnerable code introduced later)
https://github.com/aio-libs/aiohttp/issues/5497
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25
https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b