Open mend-bolt-for-github[bot] opened 1 month ago
Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
CVE-2024-42367 - Medium Severity Vulnerability
Vulnerable Library - aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /SuperCluster/macOS/Python/requirements.txt
Path to vulnerable library: /SuperCluster/macOS/Python/requirements.txt,/Linux/Blackarch/optional/requirements.txt,/Linux/Python/requirements.txt,/SuperCluster/ArchLinux/Python/requirements.txt,/SuperCluster/Kali/Python/requirements.txt
Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 282db09a8dda8b4c4d0ff56875195546b18b0ec5
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.
Publish Date: 2024-08-09
URL: CVE-2024-42367
CVSS 3 Score Details (4.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
Release Date: 2024-08-09
Fix Resolution: 3.10.2
Step up your Open Source Security Game with Mend here