CVE-2024-42367 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl - autoclosed

Question

CVE-2024-42367 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl - autoclosed

Closed this issue 2 months ago · 1 comments

mend-bolt-for-github commented 5 months ago

CVE-2024-42367 - Medium Severity Vulnerability

Vulnerable Library - aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /sitemap_warmup/requirements.txt

Path to vulnerable library: /sitemap_warmup/requirements.txt

Dependency Hierarchy:

❌ aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (.gz or .br extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing the Path.stat() and Path.open() to send the file. Version 3.10.2 contains a patch for the issue.

Publish Date: 2024-08-09

URL: CVE-2024-42367

CVSS 3 Score Details (4.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jwhx-xcg6-8xhj

Release Date: 2024-08-09

Fix Resolution: 3.10.2

Step up your Open Source Security Game with Mend here

Answer 1 · 2024-10-22T02:27:15.000Z

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.