VDB

DEBIAN-CVE-2024-42367

DEBIAN-CVE-2024-42367 PUBLISHED CVSS 4.800000190734863 MEDIUM

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.

Risk Scores

CVSS 3.1
4.800000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersions
Debian:12python-aiohttp3.10.10-2, 3.8.6-1, 3.9.1-1
Debian:14python-aiohttp0, 0
Debian:13python-aiohttp0, 0

Timeline

  • Aug 12, 2024 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›