CVE-2024-42367: 
Wolfi vulnerability analysis and mitigation

aiohttp, an asynchronous HTTP client/server framework for asyncio and Python, was found to have a path traversal vulnerability (CVE-2024-42367) prior to version 3.10.2. The vulnerability affects static routes containing files with compressed variants (.gz or .br extension) when those variants are symbolic links. The issue was discovered and disclosed on August 9, 2024, and was patched in version 3.10.2 (GitHub Advisory).

The vulnerability stems from insufficient path traversal protection in the FileResponse class when handling compressed file variants. While the server implements protection against path traversal outside the root directory with follow_symlinks=False (default) by resolving requested URLs to absolute paths and checking them relative to the root, these checks were bypassed when looking for compressed variants. The vulnerability occurs because symbolic links are automatically followed when performing Path.stat() and Path.open() operations to send the file (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 score of 4.8 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (Red Hat XML).

The vulnerability affects servers with static routes that contain compressed variants as symbolic links pointing outside the root directory, or servers that allow users to upload or create such links. This could potentially lead to unauthorized access to files outside the intended root directory (GitHub Advisory).

The vulnerability has been fixed in aiohttp version 3.10.2. Users should upgrade to this version or later to address the security issue. The patch modifies the handling of compressed file variants to prevent following symbolic links that point outside the root directory (GitHub Advisory).