CVE-2024-42367UNIX Symbolic Link (Symlink) Following in Aiohttp

CWE-61UNIX Symbolic Link (Symlink) Following8 documents7 sources
Severity
4.8MEDIUMNVD
EPSS
0.4%
top 42.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
AiohttpAio-libs Aiohttp
Timeline
PublishedAug 12
Latest updateApr 15

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages3 packages

NVDaiohttp/aiohttp3.10.03.10.2
PyPIaiohttp/aiohttp3.10.0b13.10.2
CVEListV5aio-libs/aiohttp>= 3.10.0b1, < 3.10.2

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
CVE-2024-42367: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python2024-08-12
CVEList
In aiohttp, compressed files as symlinks are not protected from path traversal2024-08-09
GHSA
In aiohttp, compressed files as symlinks are not protected from path traversal2024-08-09
OSV
In aiohttp, compressed files as symlinks are not protected from path traversal2024-08-09

📋Vendor Advisories

3
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Siebel Cloud Manager (AIOHTTP) — CVE-2024-423672025-04-15
Red Hat
aiohttp: python-aiohttp: Compressed files as symlinks are not protected from path traversal2024-08-09
Debian
CVE-2024-42367: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...2024
CVE-2024-42367 — UNIX Symbolic Link (Symlink) Following | cvebase