search

opensearch-project / opensearch-py

Python Client for OpenSearch
https://opensearch.org/docs/latest/clients/python/
Apache License 2.0
338 stars 170 forks source link

CVE-2024-23334 (High) detected in aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #687

Closed mend-for-github-com[bot] closed 5 months ago

mend-for-github-com[bot] commented 6 months ago

CVE-2024-23334 - High Severity Vulnerability

Vulnerable Libraries - aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl, aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/90/89/b332d6d2b27d84a876baba1405c6c51b85d30dd474878ef35646f0021a1c/aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl** (Vulnerable Library)

aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /dev-requirements.txt

Path to vulnerable library: /dev-requirements.txt

Dependency Hierarchy: - :x: **aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: d36a882eaf74bfddf4b7b9956f19377ce1030725

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Publish Date: 2024-01-29

URL: CVE-2024-23334

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f

Release Date: 2024-01-29

Fix Resolution: 3.9.2

saimedhi commented 6 months ago

To upgrade aiohttp to 3.9.2 requires Python >=3.8. But opensearch-py currently supports Python 3.6 and 3.7 versions as well.

Relavant PR https://github.com/opensearch-project/opensearch-py/pull/634