Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Z3B3LTh3bWMtcG04Z84AA7Ls
aiohttp Cross-site Scripting vulnerability on index pages for static file handling
Summary
A XSS vulnerability exists on index pages for static file handling.
Details
When using web.static(..., show_index=True), the resulting index pages do not escape file names.
If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable show_index if unable to upgrade.
Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
Permalink: https://github.com/advisories/GHSA-7gpw-8wmc-pm8gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Z3B3LTh3bWMtcG04Z84AA7Ls
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 15 days ago
Updated: 1 day ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-7gpw-8wmc-pm8g, CVE-2024-27306
References:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
- https://github.com/aio-libs/aiohttp/pull/8319/files
- https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
- https://nvd.nist.gov/vuln/detail/CVE-2024-27306
- https://github.com/aio-libs/aiohttp/pull/8319
- https://lists.fedoraproject.org/archives/list/[email protected]/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3
- https://github.com/advisories/GHSA-7gpw-8wmc-pm8g
Blast Radius: 29.4
Affected Packages
pypi:aiohttp
Dependent packages: 4,004Dependent repositories: 66,431
Downloads: 107,102,656 last month
Affected Version Ranges: < 3.9.4
Fixed in: 3.9.4
All affected versions: 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.21.0, 0.21.1, 0.21.2, 0.21.4, 0.21.5, 0.21.6, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4, 0.22.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3
All unaffected versions: 3.9.4, 3.9.5