CVE-2024-27306 (Medium) detected in aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #2368
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
CVE-2024-27306 - Medium Severity Vulnerability
Vulnerable Library - aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/a5/e7/af237a28203958d885f7f57731cb4f9c510597a35c593c5c20224dd72072/aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /dev-requirements.txt
Path to vulnerable library: /dev-requirements.txt,/tmp/ws-scm/gns3-server
Dependency Hierarchy:
Found in HEAD commit: fda2a37b98507f17a864087fe28ef6b2dcf1984c
Found in base branches: 2.2, master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable
show_index
if unable to upgrade.Publish Date: 2024-04-18
URL: CVE-2024-27306
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-7gpw-8wmc-pm8g
Release Date: 2024-04-18
Fix Resolution: 3.9.4
The text was updated successfully, but these errors were encountered: