pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
43c7060749
vuln-list-alt/oval/p11/ALT-PU-2024-6118/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

127 lines
6.1 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20246118",
"Version": "oval:org.altlinux.errata:def:20246118",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-6118: package `python3-module-aiohttp` update to version 3.9.3-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-6118",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-6118",
"Source": "ALTPU"
},
{
"RefID": "BDU:2024-00995",
"RefURL": "https://bdu.fstec.ru/vul/2024-00995",
"Source": "BDU"
},
{
"RefID": "BDU:2024-00996",
"RefURL": "https://bdu.fstec.ru/vul/2024-00996",
"Source": "BDU"
},
{
"RefID": "CVE-2024-23334",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-23334",
"Source": "CVE"
},
{
"RefID": "CVE-2024-23829",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-23829",
"Source": "CVE"
}
],
"Description": "This update upgrades python3-module-aiohttp to version 3.9.3-alt1. \nSecurity Fix(es):\n\n * BDU:2024-00995: Уязвимость HTTP-клиента aiohttp, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2024-00996: Уязвимость HTTP-клиента aiohttp, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку \u0026quot;контрабанда HTTP-запросов\u0026quot;\n\n * CVE-2024-23334: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.\n\n * CVE-2024-23829: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-04-08"
},
"Updated": {
"Date": "2024-04-08"
},
"BDUs": [
{
"ID": "BDU:2024-00995",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-22",
"Href": "https://bdu.fstec.ru/vul/2024-00995",
"Impact": "High",
"Public": "20240129"
},
{
"ID": "BDU:2024-00996",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"CWE": "CWE-444",
"Href": "https://bdu.fstec.ru/vul/2024-00996",
"Impact": "Low",
"Public": "20240129"
}
],
"CVEs": [
{
"ID": "CVE-2024-23334",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-23334",
"Impact": "High",
"Public": "20240129"
},
{
"ID": "CVE-2024-23829",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-23829",
"Impact": "Low",
"Public": "20240129"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20246118001",
"Comment": "python3-module-aiohttp is earlier than 0:3.9.3-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20246118002",
"Comment": "python3-module-aiohttp-tests is earlier than 0:3.9.3-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink