8000 Security: aiohttp dependency vulnerability in botbuilder-ai 4.16.2 · Issue #2205 · microsoft/botbuilder-python · GitHub

8000

Security: aiohttp dependency vulnerability in botbuilder-ai 4.16.2 #2205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

3 tasks

louspringer opened this issue Feb 11, 2025 · 0 comments

Open

3 tasks

Security: aiohttp dependency vulnerability in botbuilder-ai 4.16.2 #2205

louspringer opened this issue Feb 11, 2025 · 0 comments

louspringer commented

Security vulnerability in dependency chain preventing critical updates. See full details in docs/security/msrc-report-2024-03.md

Quick Summary

botbuilder-ai 4.16.2 requires aiohttp==3.10.5
aiohttp 3.10.5 has known vulnerabilities (CVE-2024-52303, CVE-2024-52304)
Cannot update to secure aiohttp 3.10.11 due to strict version constraint

Impact

Medium to High severity
Affects all Bot Framework applications using botbuilder-ai
Remote exploitation possible

Status

Submit to Microsoft Security Response Center
Implement temporary mitigations
Monitor for upstream fix

Next Steps

Submit detailed report to Microsoft
Implement protective middleware
Document workarounds for users

References

Full Report: docs/security/msrc-report-2024-03.md
aiohttp Security Fixes: https://github.com/aio-libs/aiohttp/releases/tag/v3.10.11

joeyorlando mentioned this issue

Bump: aiohttp from 3.10.5 to 3.10.11 #2190

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

0