aiohttp vulnerable to path traversal outside root directory
CVE-2024-42367

4.8MEDIUM

Key Information:

Vendor

Aio-libs

Status
Aiohttp
Vendor
CVE Published:
12 August 2024

What is CVE-2024-42367?

Aiohttp, a popular asynchronous HTTP client/server framework for asyncio and Python, has a vulnerability impacting static routes containing compressed files with .gz or .br extensions. Specifically, when these compressed file variants are represented as symbolic links, they can allow path traversal outside the designated root directory. The underlying issue occurs due to insufficient checks performed on the requested URL when dealing with compressed files in the FileResponse class. While the framework has measures to prevent path traversal when follow_symlinks=False (which is the default setting), these protections are bypassed when accessing compressed variants. The issue has been addressed in version 3.10.2, which implements the necessary checks to ensure secure file handling.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

aiohttp >= 3.10.0b1, < 3.10.2

References

https://github.com/aio-libs/aiohttp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/pull/8653
x_refsource_MISC
https://github.com/aio-libs/aiohttp/commit/ce2e9758814527...
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.