Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/python-aiohttp@3.10.3-2?distro=trixie
Typedeb
Namespacedebian
Namepython-aiohttp
Version3.10.3-2
Qualifiers
distro trixie
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version3.10.11-1
Latest_non_vulnerable_version3.13.3-3
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-ekqy-23wg-5ugu
vulnerability_id VCID-ekqy-23wg-5ugu
summary 
In aiohttp, compressed files as symlinks are not protected from path traversal
### Summary
Static routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

### Details
The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default).  It does this by resolving the requested URL to an absolute path and then checking that path relative to the root.  However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.

### Impact
Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.

----

Patch: https://github.com/aio-libs/aiohttp/pull/8653/files
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42367.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42367.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-42367
reference_id
reference_type
scores
0
value 0.00352
scoring_system epss
scoring_elements 0.57629
published_at 2026-04-21T12:55:00Z
1
value 0.00352
scoring_system epss
scoring_elements 0.57655
published_at 2026-04-16T12:55:00Z
2
value 0.00352
scoring_system epss
scoring_elements 0.57625
published_at 2026-04-13T12:55:00Z
3
value 0.00352
scoring_system epss
scoring_elements 0.57645
published_at 2026-04-12T12:55:00Z
4
value 0.00352
scoring_system epss
scoring_elements 0.57665
published_at 2026-04-11T12:55:00Z
5
value 0.00352
scoring_system epss
scoring_elements 0.5765
published_at 2026-04-18T12:55:00Z
6
value 0.00352
scoring_system epss
scoring_elements 0.57646
published_at 2026-04-08T12:55:00Z
7
value 0.00352
scoring_system epss
scoring_elements 0.57593
published_at 2026-04-07T12:55:00Z
8
value 0.00352
scoring_system epss
scoring_elements 0.57618
published_at 2026-04-04T12:55:00Z
9
value 0.00352
scoring_system epss
scoring_elements 0.57597
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-42367
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
4
reference_url https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T18:18:15Z/
url https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
5
reference_url https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T18:18:15Z/
url https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674
6
reference_url https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T18:18:15Z/
url https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
7
reference_url https://github.com/aio-libs/aiohttp/pull/8653
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T18:18:15Z/
url https://github.com/aio-libs/aiohttp/pull/8653
8
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T18:18:15Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-42367
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-42367
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2304394
reference_id 2304394
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2304394
11
reference_url https://github.com/advisories/GHSA-jwhx-xcg6-8xhj
reference_id GHSA-jwhx-xcg6-8xhj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jwhx-xcg6-8xhj
fixed_packages
0
url pkg:deb/debian/python-aiohttp@0?distro=trixie
purl pkg:deb/debian/python-aiohttp@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-aiohttp@0%3Fdistro=trixie
1
url pkg:deb/debian/python-aiohttp@3.7.4-1?distro=trixie
purl pkg:deb/debian/python-aiohttp@3.7.4-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d3pa-kwgz-vuag
1
vulnerability VCID-ft9z-nd6x-27dz
2
vulnerability VCID-k122-7d38-2ug5
3
vulnerability VCID-peyu-fxyx-ayde
4
vulnerability VCID-qrus-4szm-c3bj
5
vulnerability VCID-sjws-ddnq-fke2
6
vulnerability VCID-t9gx-etxx-vkgb
7
vulnerability VCID-vqvz-jfqh-jkaz
8
vulnerability VCID-zm3a-mf2z-xfcm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-aiohttp@3.7.4-1%3Fdistro=trixie
2
url pkg:deb/debian/python-aiohttp@3.10.3-2?distro=trixie
purl pkg:deb/debian/python-aiohttp@3.10.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-aiohttp@3.10.3-2%3Fdistro=trixie
3
url pkg:deb/debian/python-aiohttp@3.11.16-1?distro=trixie
purl pkg:deb/debian/python-aiohttp@3.11.16-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d3pa-kwgz-vuag
1
vulnerability VCID-ft9z-nd6x-27dz
2
vulnerability VCID-k122-7d38-2ug5
3
vulnerability VCID-peyu-fxyx-ayde
4
vulnerability VCID-qrus-4szm-c3bj
5
vulnerability VCID-sjws-ddnq-fke2
6
vulnerability VCID-t9gx-etxx-vkgb
7
vulnerability VCID-vqvz-jfqh-jkaz
8
vulnerability VCID-zm3a-mf2z-xfcm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-aiohttp@3.11.16-1%3Fdistro=trixie
4
url pkg:deb/debian/python-aiohttp@3.13.3-3?distro=trixie
purl pkg:deb/debian/python-aiohttp@3.13.3-3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-aiohttp@3.13.3-3%3Fdistro=trixie
aliases CVE-2024-42367, GHSA-jwhx-xcg6-8xhj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ekqy-23wg-5ugu
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/python-aiohttp@3.10.3-2%3Fdistro=trixie