MEDIUM
GHSA-p998-jp59-783m
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
상세
### Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
### Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
-----
Patch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-34515 [ADVISORY]
- https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d [WEB]
- https://github.com/aio-libs/aiohttp [PACKAGE]
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4 [WEB]