What is CVE-2024-42367?

CVE-2024-42367 is a medium-severity vulnerability in Aio-libs Aiohttp, classified under UNIX Symbolic Link (Symlink) Following. CVSS score: 4.8/10. Published 2024-08-09.

How severe is CVE-2024-42367?

Medium severity. CVSS v3 base score is 4.8 out of 10.

Vulnerability in Aio-libs Aiohttp

CVE-2024-42367

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to…

EPSS: 0.002 (47.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N.

Affected products

Aio-libs Aiohttp — versions >= 3.10.0b1, < 3.10.2

Weakness classification (CWE)

CWE-61 — UNIX Symbolic Link (Symlink) Following

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj (x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/pull/8653 (x_refsource_MISC)
https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f (x_refsource_MISC)
https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177 (x_refsource_MISC)
https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-42367?: CVE-2024-42367 is a medium-severity vulnerability in Aio-libs Aiohttp, classified under UNIX Symbolic Link (Symlink) Following. CVSS score: 4.8/10. Published 2024-08-09.
How severe is CVE-2024-42367?: Medium severity. CVSS v3 base score is 4.8 out of 10.