CVE-2022-33124 — Withdrawn: Denial of Service in aiohttp

Description

AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application

How to fix CVE-2022-33124

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

PyPI/aiohttp—no fix listed
—no fix listed

Is CVE-2022-33124 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2022-33124.

Affected packages (2)

from 0, <= 3.8.1
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-rwqr-c348-m5wr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-33124
PATCHgithub.com/aio-libs/aiohttp
WEBgithub.com/aio-libs/aiohttp/issues/6772
WEB