How severe is CVE-2024-42367?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.8 out of 10.

What type of vulnerability is CVE-2024-42367?

This is classified as CWE-61, which is a common weakness in software security.

CVE-2024-42367 - MEDIUM Severity | CVSS 4.8

Vulnerability Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.

Related Vulnerabilities

CVE-2019-11249

MEDIUM

CVSS:4.8(Medium)

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over th...

CWE-612019

CVE-2023-20091

MEDIUM

CVSS:5.1(Medium)

A vulnerability in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. This vulnerabil...

CWE-612023

CVE-2023-20092

MEDIUM

CVSS:4.4(Medium)

Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. These vul...

CWE-612023

CVE-2023-20093

MEDIUM

CVSS:4.4(Medium)

CWE-612023

CVE-2024-0134

MEDIUM

CVSS:4.1(Medium)

NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name a...

CWE-612024

CVE-2024-27872

MEDIUM

CVSS:5.5(Medium)

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sonoma 14.6. An app may be able to access protected user data.

CWE-612024