CVE-2024-27306
Published: 18 April 2024
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.
Priority
Status
Package | Release | Status |
---|---|---|
python-aiohttp Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
References
- https://www.cve.org/CVERecord?id=CVE-2024-27306
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
- https://github.com/aio-libs/aiohttp/pull/8319
- https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397 (v3.9.4)
- https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
- NVD
- Launchpad
- Debian