Описание
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using UPLOAD_KEEP_FILENAME=True in project configurations.
A flaw was found in Python-Multipart, a tool for parsing multipart form data in Python applications. This vulnerability, known as path traversal, allows a remote attacker to write uploaded files to any location on the server's file system. This exploitation occurs when specific non-default configuration options, UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True, are enabled, and a malicious filename is provided during a file upload. The primary consequence is unauthorized file creation or modification, which could lead to system compromise.
Меры по смягчению последствий
To mitigate this vulnerability, avoid enabling the UPLOAD_KEEP_FILENAME=True configuration option in applications using python-multipart. This option, when used with UPLOAD_DIR, allows an attacker to write files to arbitrary locations. Disabling or not configuring UPLOAD_KEEP_FILENAME=True prevents the path traversal vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Lightspeed Core | lightspeed-core/lightspeed-stack-rhel9 | Affected | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag-rhel9 | Not affected | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Affected | ||
| Red Hat AI Inference Server | rhaiis/vllm-spyre-rhel9 | Affected | ||
| Red Hat AI Inference Server | rhaiis/vllm-tpu-rhel9 | Affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel8 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
Python-Multipart is a streaming multipart parser for Python. Prior to ...
EPSS
8.6 High
CVSS3