CVE-2024-42367: In aiohttp, compressed files as symlinks are not protected from path traversal

August 9, 2024

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

References

github.com/advisories/GHSA-jwhx-xcg6-8xhj
github.com/aio-libs/aiohttp
github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
github.com/aio-libs/aiohttp/pull/8653
github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
nvd.nist.gov/vuln/detail/CVE-2024-42367

Detect and mitigate CVE-2024-42367 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →