aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-52304
### Vulnerable Library - aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or "AIOHTTP_NO_EXTENSIONS" is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/3c/63/fe97fbe6d18e8ad0b484a01c9c36df122f304668c7e76745e438ad184d80/aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241116063240_UVKOEF/python_BLUWQC/202411160632431/env/lib/python3.8/site-packages/aiohttp-3.9.4.dist-info
Found in HEAD commit: 02b1d6aec96094d3525d9660dc28c98c85c579fd
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-42367
### Vulnerable Library - aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whlAsync http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/3c/63/fe97fbe6d18e8ad0b484a01c9c36df122f304668c7e76745e438ad184d80/aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241116063240_UVKOEF/python_BLUWQC/202411160632431/env/lib/python3.8/site-packages/aiohttp-3.9.4.dist-info
Dependency Hierarchy: - :x: **aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 02b1d6aec96094d3525d9660dc28c98c85c579fd
Found in base branch: main
### Vulnerability Detailsaiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.
Publish Date: 2024-08-09
URL: CVE-2024-42367
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
Release Date: 2024-08-09
Fix Resolution: 3.10.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-52304
### Vulnerable Library - aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whlAsync http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/3c/63/fe97fbe6d18e8ad0b484a01c9c36df122f304668c7e76745e438ad184d80/aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241116063240_UVKOEF/python_BLUWQC/202411160632431/env/lib/python3.8/site-packages/aiohttp-3.9.4.dist-info
Dependency Hierarchy: - :x: **aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 02b1d6aec96094d3525d9660dc28c98c85c579fd
Found in base branch: main
### Vulnerability Detailsaiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or "AIOHTTP_NO_EXTENSIONS" is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52304
### CVSS 3 Score Details (0.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr
Release Date: 2024-11-18
Fix Resolution: 3.10.11
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)