aiohttp v3.8.5

[doronguttman]

IDs

CVE-2023-37276

Description

aiohttp v3.8.5 is detected as having a vulnerability, although it was fixed in this version

Reproduction Steps

1. create a requirements.txt file
2. add the following to the file:
   
   aiohttp==3.8.5

3. run a trivy scan (trivy fs .)
4. see output above
5. link shows that vulnerability is fixed in 3.8.5

### Target

Filesystem

### Scanner

Vulnerability

### Target OS

linux

### Debug Output

```bash
2023-08-07T16:53:12.572-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-07T16:53:12.576-0400    DEBUG   cache dir:  /home/*****/.cache/trivy
2023-08-07T16:53:12.576-0400    DEBUG   DB update was skipped because the local DB is the latest
2023-08-07T16:53:12.577-0400    DEBUG   DB Schema: 2, UpdatedAt: 2023-08-07 18:11:45.128482564 +0000 UTC, NextUpdate: 2023-08-08 00:11:45.128482464 +0000 UTC, DownloadedAt: 2023-08-07 20:39:23.188313609 +0000 UTC
2023-08-07T16:53:12.577-0400    INFO    Vulnerability scanning is enabled
2023-08-07T16:53:12.577-0400    DEBUG   Vulnerability type:  [os library]
2023-08-07T16:53:12.577-0400    INFO    Secret scanning is enabled
2023-08-07T16:53:12.577-0400    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-07T16:53:12.577-0400    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-08-07T16:53:12.577-0400    DEBUG   No secret config detected: trivy-secret.yaml
2023-08-07T16:53:12.577-0400    DEBUG   Walk the file tree rooted at '.' in parallel
2023-08-07T16:53:12.582-0400    DEBUG   OS is not detected.
2023-08-07T16:53:12.582-0400    DEBUG   Detected OS: unknown
2023-08-07T16:53:12.582-0400    INFO    Number of language-specific files: 1
2023-08-07T16:53:12.582-0400    INFO    Detecting pip vulnerabilities...
2023-08-07T16:53:12.582-0400    DEBUG   Detecting library vulnerabilities, type: pip, path: requirements.txt

requirements.txt (pip)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                         Title                         │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ aiohttp │ CVE-2023-37276 │ HIGH     │ 3.8.5             │               │ HTTP request smuggling via llhttp HTTP request parser │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-37276            │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

Version

Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-08-07 18:11:45.128482564 +0000 UTC
  NextUpdate: 2023-08-08 00:11:45.128482464 +0000 UTC
  DownloadedAt: 2023-08-07 20:39:23.188313609 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

duplicate of #4897