SB2023053013 - Multiple vulnerabilities in starlette

Description

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal (CVE-ID: CVE-2023-29159)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

2) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in StaticFiles when handling crafted path requests. A remote attacker can request a specially crafted path to disclose sensitive information.

Files or directories whose names start with the same prefix as the configured static directory may be exposed.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/jp/JVN95981715/index.html
• https://github.com/Kludex/starlette/security/advisories/GHSA-v5gw-mw7f-84px
• https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174