aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.
CVE-2024-27306 - Medium Severity Vulnerability
Vulnerable Library - aiohttp-2.2.2.tar.gz
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/f1/cc/828ce95d4d638f54936bbd1f896a75ba937839b17a63a57c1c491db6c26d/aiohttp-2.2.2.tar.gz
Path to dependency file: /test/acceptance/workspaces/setup_py-app
Path to vulnerable library: /test/acceptance/workspaces/setup_py-app
Dependency Hierarchy: - :x: **aiohttp-2.2.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 9505f4ca92405cc9273dc3726c2d274ce28a4407
Found in base branch: ALL_HANDS/major-secrets
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.
Publish Date: 2024-04-18
URL: CVE-2024-27306
CVSS 3 Score Details (6.1)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
Release Date: 2024-04-18
Fix Resolution: 3.9.4
Step up your Open Source Security Game with Mend here