CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
Low
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Prior to version 3.10.2, static routes which contain files with
compressed variants (.gz
or .br
extension) are vulnerable to path
traversal outside the root directory if those variants are symbolic links.
The server protects static routes from path traversal outside the root
directory when follow_symlinks=False
(default). It does this by
resolving the requested URL to an absolute path and then checking that path
relative to the root. However, these checks are not performed when looking
for compressed variants in the FileResponse
class, and symbolic links are
then automatically followed when performing the Path.stat()
and
Path.open()
to send the file. Version 3.10.2 contains a patch for the
issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-aiohttp | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python-aiohttp | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python-aiohttp | < any | UNKNOWN |
ubuntu | 24.04 | noarch | python-aiohttp | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python-aiohttp | < any | UNKNOWN |
github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f (v3.10.2)
github.com/aio-libs/aiohttp/pull/8653
github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
launchpad.net/bugs/cve/CVE-2024-42367
nvd.nist.gov/vuln/detail/CVE-2024-42367
security-tracker.debian.org/tracker/CVE-2024-42367
www.cve.org/CVERecord?id=CVE-2024-42367