First published: Thu Apr 18 2024(Updated: )
### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks. ### Workaround We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/aiohttp | <3.9.4 | 3.9.4 |
redhat/aiohttp | <3.9.4 | 3.9.4 |
IBM Security QRadar | <=3.12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-27306 is considered a moderate severity XSS vulnerability due to improper file name escaping.
To fix CVE-2024-27306, update aiohttp to version 3.9.4 or later.
CVE-2024-27306 affects the static file handling feature when using `web.static(..., show_index=True)`.
Yes, arbitrary file names uploaded to the static directory can exploit CVE-2024-27306.
Aiohttp versions prior to 3.9.4 are vulnerable to CVE-2024-27306.