CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
16.3%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (.gz
or .br
extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when follow_symlinks=False
(default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse
class, and symbolic links are then automatically followed when performing the Path.stat()
and Path.open()
to send the file. Version 3.10.2 contains a patch for the issue.
[
{
"vendor": "aio-libs",
"product": "aiohttp",
"versions": [
{
"status": "affected",
"version": "< 3.10.2"
}
]
}
]
github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674
github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
github.com/aio-libs/aiohttp/pull/8653
github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
16.3%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial