CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
A vulnerability was found in aiohttp. Static routes that contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants were symbolic links. Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.
bugzilla.redhat.com/show_bug.cgi?id=2304394
github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674
github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
github.com/aio-libs/aiohttp/pull/8653
github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
nvd.nist.gov/vuln/detail/CVE-2024-42367
www.cve.org/CVERecord?id=CVE-2024-42367