#VU96003 UNIX symbolic link following in aiohttp - CVE-2024-42367
Published: August 14, 2024
Vulnerability identifier: #VU96003
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-42367
CWE-ID: CWE-61
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
aiohttp
aiohttp
Software vendor:
aio-libs
aio-libs
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a symlink following issue when handling static routes which contain files with compressed variants in the FileResponse class even when "follow_symlinks=False" is set. A remote attacker can pass a specially crafted file to the application and perform directory traversal attacks.
Remediation
Install updates from vendor's website.
External links
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
- https://github.com/aio-libs/aiohttp/pull/8653
- https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
- https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
- https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674