CVE-2024-42367

EUVD-2024-2609

12.08.2024, 13:38

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default).  It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.

Symlink

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 47%

Affected Products (NVD)

Vendor	Product	Version
aiohttp	aiohttp	3.10.0 ≤ 𝑥 < 3.10.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-aiohttp

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	3.7.4-1 not-affected
bullseye (security)	3.7.4-1+deb11u1 fixed
forky	3.13.1-1 fixed
sid	3.13.1-1 fixed
trixie	3.11.16-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

python311-aiohttp

suse enterprise sap 15 SP4	3.9.3-150400.10.24.1 fixed
suse enterprise server 15 SP4	3.9.3-150400.10.24.1 fixed

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177

https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674

https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f

https://github.com/aio-libs/aiohttp/pull/8653

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj