aiohttp vulnerable to path traversal outside root directory
CVE-2024-42367

4.8MEDIUM

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-42367?

Aiohttp, a popular asynchronous HTTP client/server framework for asyncio and Python, has a vulnerability impacting static routes containing compressed files with .gz or .br extensions. Specifically, when these compressed file variants are represented as symbolic links, they can allow path traversal outside the designated root directory. The underlying issue occurs due to insufficient checks performed on the requested URL when dealing with compressed files in the FileResponse class. While the framework has measures to prevent path traversal when follow_symlinks=False (which is the default setting), these protections are bypassed when accessing compressed variants. The issue has been addressed in version 3.10.2, which implements the necessary checks to ensure secure file handling.

Affected Version(s)

aiohttp >= 3.10.0b1, < 3.10.2

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/pull/8653

x_refsource_MISC

https://github.com/aio-libs/aiohttp/commit/ce2e9758814527...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Jul 30, 2024

Aio-libs

What is CVE-2024-42367?

Affected Version(s)

References

CVSS V3.1

Timeline