CVE-2024-42367: In aiohttp, compressed files as symlinks are not protected from path traversal
(updated )
Static routes which contain files with compressed variants (.gz
or .br
extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.
References
- github.com/advisories/GHSA-jwhx-xcg6-8xhj
- github.com/aio-libs/aiohttp
- github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py
- github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py
- github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
- github.com/aio-libs/aiohttp/pull/8653
- github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
- nvd.nist.gov/vuln/detail/CVE-2024-42367
Code Behaviors & Features
Detect and mitigate CVE-2024-42367 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →