secure-code-warrior-for-github[bot]
commented
1 month ago Micro-Learning Topic: Path traversal (Detected by phrase)
Matched on "path traversal"
Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
- OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Library"
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
CVE-2024-42367 - Medium Severity Vulnerability
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /SuperCluster/macOS/Python/requirements.txt
Path to vulnerable library: /SuperCluster/macOS/Python/requirements.txt,/Linux/Blackarch/optional/requirements.txt,/Linux/Python/requirements.txt,/SuperCluster/ArchLinux/Python/requirements.txt,/SuperCluster/Kali/Python/requirements.txt
Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 282db09a8dda8b4c4d0ff56875195546b18b0ec5
Found in base branch: master
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.
Publish Date: 2024-08-09
URL: CVE-2024-42367
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
Release Date: 2024-08-09
Fix Resolution: 3.10.2
Step up your Open Source Security Game with Mend here