AZL-47763

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-47763.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-47763

Upstream

CVE-2024-42367

Published

2024-08-12T13:38:34Z

Modified

2026-04-01T05:17:03.744759Z

Summary

CVE-2024-42367 affecting package python-aiohttp 3.6.2-3

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (.gz or .br extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing the Path.stat() and Path.open() to send the file. Version 3.10.2 contains a patch for the issue.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-42367

Affected packages

Azure Linux:3 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:rpm/azure-linux/python-aiohttp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.6.2-3

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-47763.json"