Directory Traversal Affecting py3-cassandra-medusa package, versions <0.17.2-r1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
10.46% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Directory Traversal vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CHAINGUARDLATEST-PY3CASSANDRAMEDUSA-6231784
  • published8 Feb 2024
  • disclosed29 Jan 2024

Introduced: 29 Jan 2024

CVE-2024-23334  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Chainguard py3-cassandra-medusa to version 0.17.2-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream py3-cassandra-medusa package and not the py3-cassandra-medusa package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

CVSS Scores

version 3.1