CVE-2023-47641: 
Python vulnerability analysis and mitigation

CVE-2023-47641 affects aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. The vulnerability was discovered and disclosed on November 14, 2023, and involves inconsistent interpretation of HTTP protocol headers. The vulnerability affects all versions of aiohttp prior to version 3.8.0 (GitHub Advisory, NVD).

The vulnerability stems from the inconsistent interpretation of HTTP/1.1 protocol when both Content-Length (CL) and Transfer-Encoding (TE) header values are present. This inconsistency can lead to incorrect parsing between different entities processing the HTTP request. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NIST and 3.4 (LOW) by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability enables attackers to bypass proxy rules and poison sockets to other users, including the ability to pass unauthorized Authentication Headers. When combined with an Open Redirect vulnerability, attackers could redirect users to malicious websites and log their requests. This creates significant security implications for systems using aiohttp as a backend service (GitHub Advisory).

The vulnerability has been addressed in aiohttp version 3.8.0. Users are strongly advised to upgrade to this version or later. No alternative workarounds are currently known for this vulnerability (NVD).