CVE-2024-42367

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-42367

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42367.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-42367

Aliases

GHSA-jwhx-xcg6-8xhj

Related

Published

2024-08-12T13:38:34Z

Modified

2024-10-08T04:20:55.750080Z

Summary

[none]

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (.gz or .br extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing the Path.stat() and Path.open() to send the file. Version 3.10.2 contains a patch for the issue.

References

Affected packages

Debian:11 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.4-1

3.7.4-2

3.8.1-1

3.8.1-2

3.8.1-3

3.8.1-4

3.8.1-5

3.8.3-1

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.10.3-2

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/aio-libs/aiohttp

Affected ranges

Type: GIT
Repo: https://github.com/aio-libs/aiohttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ce2e9758814527589b10759a20783fb03b98339f

Affected versions

0.*

0.15.2

0.8.2

1.*

1.3.0

2.*

2.0.0

2.0.0rc1

2.0.1

2.0.2

2.0.3

2.0.3-1

2.0.4

2.0.5

2.0.6

2.0.7

4v0.*

4v0.21.6

v.*

v.0.6.5

v0.*

v0.1

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.16.6

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.19.0

v0.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.21.0a0

v0.21.0a1

v0.21.0a2

v0.21.1

v0.21.2

v0.21.3

v0.21.4

v0.21.5

v0.21.6

v0.22.0

v0.22.0b0

v0.22.0b1

v0.22.0b2

v0.22.0b3

v0.22.0b4

v0.22.0b5

v0.22.0b6

v0.22.1

v0.22.2

v0.22.3

v0.22.4

v0.22.5

v0.3

v0.4

v0.4.1

v0.4.2

v0.5.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.8.0

v0.8.1

v0.8.3

v0.8.4

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.2.0

v2.*

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.3.0

v2.3.0a1

v2.3.0a2

v2.3.0a3

v2.3.0a4

v2.3.1

v2.3.10

v2.3.1a1

v2.3.2

v2.3.2b1

v2.3.2b2

v2.3.2b3

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.0b0

v3.0.0b1

v3.0.0b2

v3.0.0b3

v3.0.0b4

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.10.0

v3.10.0b0

v3.10.0b1

v3.10.0rc0

v3.10.1

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.1b1

v3.3.2

v3.3.2a0

v3.4.0

v3.4.0a0

v3.4.0a3

v3.4.0b1

v3.4.0b2

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.5.0

v3.5.0a1

v3.5.0b1

v3.5.0b2

v3.5.0b3

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.6.0

v3.6.0a0

v3.6.0a1

v3.6.0a10

v3.6.0a11

v3.6.0a12

v3.6.0a2

v3.6.0a3

v3.6.0a4

v3.6.0a5

v3.6.0a6

v3.6.0a7

v3.6.0a8

v3.6.0a9

v3.6.0b0

v3.6.1

v3.6.1b3

v3.6.1b4

v3.6.2

v3.6.2a1

v3.6.2a2

v3.7.0

v3.7.0b0

v3.7.0b1

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.4.post0

v3.8.0

v3.8.1

v3.8.2

v3.8.2a0

v3.8.3

v3.9.0

v3.9.0b0

v3.9.0b1

v3.9.0rc0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

v3.9.5