Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02eDRoLTk2MjItZnFyNs4AA3un

Improper validation in meraki

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

meraki from version 1.40.1 requires aiohttp 3.9.0

Permalink: https://github.com/advisories/GHSA-6x4h-9622-fqr6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02eDRoLTk2MjItZnFyNs4AA3un
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 4 months ago

CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Identifiers: GHSA-6x4h-9622-fqr6
References:

Repository: https://github.com/meraki/dashboard-api-python
Blast Radius: 13.8

Affected Packages

pypi:meraki

Dependent packages: 9
Dependent repositories: 83
Downloads: 114,805 last month
Affected Version Ranges: < 1.40.1
Fixed in: 1.40.1
All affected versions: 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.70.5, 0.80.0, 0.80.1, 0.80.2, 0.80.3, 0.90.0, 0.90.1, 0.90.2, 0.100.0, 0.100.1, 0.100.2, 0.110.0, 0.110.1, 0.110.2, 0.110.3, 0.110.4, 0.110.5, 0.110.6, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.10.0, 1.12.0, 1.15.0, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.20.0, 1.22.0, 1.22.1, 1.24.0, 1.25.0, 1.27.0, 1.30.0, 1.32.0, 1.32.1, 1.33.0, 1.34.0, 1.36.0, 1.37.1, 1.37.2, 1.37.3, 1.38.0, 1.39.0, 1.39.1, 1.40.0
All unaffected versions: 1.40.1, 1.41.0, 1.42.0, 1.43.0, 1.45.0, 1.46.0