Описание
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.
A flaw was found in aiohttp, an asynchronous HTTP client/server framework for Python. An attacker can exploit a vulnerability in the path normalization logic for static files to determine if specific absolute path components exist on the server. This information disclosure is possible if the application uses web.static().
Отчет
This vulnerability is rated Moderate for Red Hat products. It allows for information disclosure of path components if an application uses aiohttp's web.static() function. Red Hat generally advises against using web.static() for serving static files in production environments, which limits the impact in typical deployments.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | rhmtc/openshift-migration-hook-runner-rhel8 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
AIOHTTP vulnerable to brute-force leak of internal static file path components
EPSS
5.3 Medium
CVSS3