search

GNS3 / gns3-server

GNS3 server
GNU General Public License v3.0
811 stars 263 forks source link

CVE-2024-42367 (Medium) detected in aiohttp-3.9.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl - autoclosed #2434

Closed mend-for-github-com[bot] closed 2 weeks ago

mend-for-github-com[bot] commented 2 weeks ago

CVE-2024-42367 - Medium Severity Vulnerability

Vulnerable Library - aiohttp-3.9.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/bf/85/6166b71dc124cbca726f1d062218a61f2541d7c5192bef8c9b518b787132/aiohttp-3.9.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/mac-requirements.txt

Dependency Hierarchy: - :x: **aiohttp-3.9.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: fda2a37b98507f17a864087fe28ef6b2dcf1984c

Found in base branch: 3.0

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.

Publish Date: 2024-08-09

URL: CVE-2024-42367

CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj

Release Date: 2024-08-09

Fix Resolution: 3.10.2

mend-for-github-com[bot] commented 2 weeks ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.