cvelistv5 - cve-2023-29159

CVE-2023-29159 (GCVE-0-2023-29159)

Vulnerability from cvelistv5

Published

2023-06-01 00:00

Modified

2025-01-09 19:18

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

Directory traversal

Summary

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

References

URL

Tags

vultures@jpcert.or.jp	https://github.com/encode/starlette/releases/tag/0.27.0	Release Notes
vultures@jpcert.or.jp	https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px	Exploit, Vendor Advisory
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN95981715/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/releases/tag/0.27.0	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/jp/JVN95981715/	Third Party Advisory

Impacted products

	Vendor	Product	Version
	Encode	Starlette	Version: versions 0.13.5 and later and prior to 0.27.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:00:14.995Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN95981715/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-29159",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T19:18:22.960784Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T19:18:29.375Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Starlette",
          "vendor": "Encode",
          "versions": [
            {
              "status": "affected",
              "version": "versions 0.13.5 and later and prior to 0.27.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Directory traversal",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-01T00:00:00",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
        },
        {
          "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN95981715/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-29159",
    "datePublished": "2023-06-01T00:00:00",
    "dateReserved": "2023-05-11T00:00:00",
    "dateUpdated": "2025-01-09T19:18:29.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-29159\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2023-06-01T02:15:09.803\",\"lastModified\":\"2025-01-09T20:15:33.313\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de salto de directorios en Starlette v0.13.5 y posteriores y anteriores a 0.27.0 permite a un atacante remoto no autenticado ver archivos en un servicio web que fue creado usando Starlette. \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*\",\"versionStartIncluding\":\"0.13.5\",\"versionEndExcluding\":\"0.27.0\",\"matchCriteriaId\":\"4AD6432E-5F9B-4A84-A978-5AD14E90C5E9\"}]}]}],\"references\":[{\"url\":\"https://github.com/encode/starlette/releases/tag/0.27.0\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://jvn.jp/en/jp/JVN95981715/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/encode/starlette/releases/tag/0.27.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://jvn.jp/en/jp/JVN95981715/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/encode/starlette/releases/tag/0.27.0\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://jvn.jp/en/jp/JVN95981715/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T14:00:14.995Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-29159\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T19:18:22.960784Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T18:12:56.652Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Encode\", \"product\": \"Starlette\", \"versions\": [{\"status\": \"affected\", \"version\": \"versions 0.13.5 and later and prior to 0.27.0\"}]}], \"references\": [{\"url\": \"https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px\"}, {\"url\": \"https://github.com/encode/starlette/releases/tag/0.27.0\"}, {\"url\": \"https://jvn.jp/en/jp/JVN95981715/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Directory traversal\"}]}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2023-06-01T00:00:00\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-29159\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-09T19:18:29.375Z\", \"dateReserved\": \"2023-05-11T00:00:00\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"datePublished\": \"2023-06-01T00:00:00\", \"assignerShortName\": \"jpcert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2023-29159

Vulnerability from fkie_nvd

Published

2023-06-01 02:15

Modified

2025-01-09 20:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

References

URL	Tags
vultures@jpcert.or.jp	https://github.com/encode/starlette/releases/tag/0.27.0	Release Notes
vultures@jpcert.or.jp	https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px	Exploit, Vendor Advisory
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN95981715/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/releases/tag/0.27.0	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/jp/JVN95981715/	Third Party Advisory

Impacted products

	Vendor	Product	Version
	encode	starlette	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "4AD6432E-5F9B-4A84-A978-5AD14E90C5E9",
              "versionEndExcluding": "0.27.0",
              "versionStartIncluding": "0.13.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de salto de directorios en Starlette v0.13.5 y posteriores y anteriores a 0.27.0 permite a un atacante remoto no autenticado ver archivos en un servicio web que fue creado usando Starlette. "
    }
  ],
  "id": "CVE-2023-29159",
  "lastModified": "2025-01-09T20:15:33.313",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-06-01T02:15:09.803",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN95981715/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN95981715/"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

gsd-2023-29159

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

Aliases

CVE-2023-29159

Aliases

CVE-2023-29159

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-29159",
    "id": "GSD-2023-29159"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-29159"
      ],
      "details": "Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.",
      "id": "GSD-2023-29159",
      "modified": "2023-12-13T01:20:56.742340Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2023-29159",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Starlette",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "versions 0.13.5 and later and prior to 0.27.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Encode"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Directory traversal"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px",
            "refsource": "MISC",
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
          },
          {
            "name": "https://github.com/encode/starlette/releases/tag/0.27.0",
            "refsource": "MISC",
            "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
          },
          {
            "name": "https://jvn.jp/en/jp/JVN95981715/",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN95981715/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.27.0",
                "versionStartIncluding": "0.13.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2023-29159"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/encode/starlette/releases/tag/0.27.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN95981715/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/jp/JVN95981715/"
            },
            {
              "name": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-06-08T01:59Z",
      "publishedDate": "2023-06-01T02:15Z"
    }
  }
}

WID-SEC-W-2024-0423

Vulnerability from csaf_certbund

Published

2024-02-19 23:00

Modified

2024-02-19 23:00

Summary

IBM Business Automation Workflow: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM Business Automation Workflow ist eine Lösung zur Automatisierung von Arbeitsabläufen.

Angriff

Ein entfernter Angreifer kann mehrere Schwachstellen in IBM Business Automation Workflow ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM Business Automation Workflow ist eine L\u00f6sung zur Automatisierung von Arbeitsabl\u00e4ufen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in IBM Business Automation Workflow ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0423 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0423.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0423 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0423"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2024-02-19",
        "url": "https://www.ibm.com/support/pages/node/7120748"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM Business Automation Workflow: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-02-19T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:05:25.093+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0423",
      "initial_release_date": "2024-02-19T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-19T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "V23.0.2",
                "product": {
                  "name": "IBM Business Automation Workflow V23.0.2",
                  "product_id": "T032911",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:business_automation_workflow:v23.0.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Business Automation Workflow"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-44271",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-44271"
    },
    {
      "cve": "CVE-2023-43804",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-43804"
    },
    {
      "cve": "CVE-2023-29824",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-29824"
    },
    {
      "cve": "CVE-2023-29159",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-29159"
    },
    {
      "cve": "CVE-2023-27043",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-27043"
    },
    {
      "cve": "CVE-2023-25399",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-25399"
    }
  ]
}

wid-sec-w-2024-0423

Vulnerability from csaf_certbund

Published

2024-02-19 23:00

Modified

2024-02-19 23:00

Summary

IBM Business Automation Workflow: Mehrere Schwachstellen

Notes

Produktbeschreibung

IBM Business Automation Workflow ist eine Lösung zur Automatisierung von Arbeitsabläufen.

Angriff

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM Business Automation Workflow ist eine L\u00f6sung zur Automatisierung von Arbeitsabl\u00e4ufen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in IBM Business Automation Workflow ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0423 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0423.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0423 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0423"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2024-02-19",
        "url": "https://www.ibm.com/support/pages/node/7120748"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM Business Automation Workflow: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-02-19T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:05:25.093+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0423",
      "initial_release_date": "2024-02-19T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-19T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "V23.0.2",
                "product": {
                  "name": "IBM Business Automation Workflow V23.0.2",
                  "product_id": "T032911",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:business_automation_workflow:v23.0.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Business Automation Workflow"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-44271",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-44271"
    },
    {
      "cve": "CVE-2023-43804",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-43804"
    },
    {
      "cve": "CVE-2023-29824",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-29824"
    },
    {
      "cve": "CVE-2023-29159",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-29159"
    },
    {
      "cve": "CVE-2023-27043",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-27043"
    },
    {
      "cve": "CVE-2023-25399",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Business Automation Workflow existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten von Drittanbietern. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032911"
        ]
      },
      "release_date": "2024-02-19T23:00:00.000+00:00",
      "title": "CVE-2023-25399"
    }
  ]
}

cve-2023-29159

Vulnerability from jvndb

Published

2023-05-30 13:34

Modified

2024-03-19 18:08

Severity ?

3.7 (Low) - cvssV3_0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Starlette vulnerable to directory traversal

Details

Starlette provided by Encode contains a directory traversal vulnerability (CWE-22). Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	http://jvn.jp/en/jp/JVN95981715/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-29159
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-29159
	Path Traversal(CWE-22)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

Encode

Starlette

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000056.html",
  "dc:date": "2024-03-19T18:08+09:00",
  "dcterms:issued": "2023-05-30T13:34+09:00",
  "dcterms:modified": "2024-03-19T18:08+09:00",
  "description": "Starlette provided by Encode contains a directory traversal vulnerability (CWE-22).\r\n\r\nMasashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000056.html",
  "sec:cpe": {
    "#text": "cpe:/a:encode:starlette",
    "@product": "Starlette",
    "@vendor": "Encode",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "4.3",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
      "@version": "2.0"
    },
    {
      "@score": "3.7",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2023-000056",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN95981715/index.html",
      "@id": "JVN#95981715",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-29159",
      "@id": "CVE-2023-29159",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-29159",
      "@id": "CVE-2023-29159",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-22",
      "@title": "Path Traversal(CWE-22)"
    }
  ],
  "title": "Starlette vulnerable to directory traversal"
}

ghsa-v5gw-mw7f-84px

Vulnerability from github

Published

2023-05-17 03:49

Modified

2024-10-28 14:29

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Starlette has Path Traversal vulnerability in StaticFiles

Details

Summary

When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is also exposed via StaticFiles which is a path traversal vulnerability.

Details

The root cause of this issue is the usage of os.path.commonprefix(): https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174

As stated in the Python documentation (https://docs.python.org/3/library/os.path.html#os.path.commonprefix) this function returns the longest prefix common to paths.

When passing a path like /static/../static1.txt, os.path.commonprefix([full_path, directory]) returns ./static which is the common part of ./static1.txt and ./static, It refers to /static/../static1.txt because it is considered in the staticfiles directory. As a result, it becomes possible to view files that should not be open to the public.

The solution is to use os.path.commonpath as the Python documentation explains that os.path.commonprefix works a character at a time, it does not treat the arguments as paths.

PoC

In order to reproduce the issue, you need to create the following structure:

├── static │ ├── index.html ├── static_disallow │ ├── index.html └── static1.txt

And run the Starlette app with:

```py import uvicorn from starlette.applications import Starlette from starlette.routing import Mount from starlette.staticfiles import StaticFiles

routes = [ Mount("/static", app=StaticFiles(directory="static", html=True), name="static"), ]

app = Starlette(routes=routes)

if name == "main": uvicorn.run(app, host="0.0.0.0", port=8000) ```

And running the commands:

shell curl --path-as-is 'localhost:8000/static/../static_disallow/' curl --path-as-is 'localhost:8000/static/../static1.txt' The static1.txt and the directory static_disallow are exposed.

Impact

Confidentiality is breached: An attacker may obtain files that should not be open to the public.

Credits

Security researcher Masashi Yamane of LAC Co., Ltd reported this vulnerability to JPCERT/CC Vulnerability Coordination Group and they contacted us to coordinate a patch for the security issue.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "starlette"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.5"
            },
            {
              "fixed": "0.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:49:14Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen using `StaticFiles`, if there\u0027s a file or directory that starts with the same name as the `StaticFiles` directory, that file or directory is also exposed via `StaticFiles` which is a path traversal vulnerability.\n\n### Details\nThe root cause of this issue is the usage of `os.path.commonprefix()`:\nhttps://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174\n\nAs stated in the Python documentation (https://docs.python.org/3/library/os.path.html#os.path.commonprefix) this function returns the longest prefix common to paths.\n\nWhen passing a path like `/static/../static1.txt`, `os.path.commonprefix([full_path, directory])` returns `./static` which is the common part of `./static1.txt` and `./static`, It refers to `/static/../static1.txt` because it is considered in the staticfiles directory. As a result, it becomes possible to view files that should not be open to the public.\n\nThe solution is to use `os.path.commonpath` as the Python documentation explains that `os.path.commonprefix` works a character at a time, it does not treat the arguments as paths.\n\n### PoC\nIn order to reproduce the issue, you need to create the following structure:\n\n```\n\u251c\u2500\u2500 static\n\u2502   \u251c\u2500\u2500 index.html\n\u251c\u2500\u2500 static_disallow\n\u2502   \u251c\u2500\u2500 index.html\n\u2514\u2500\u2500 static1.txt\n```\n\nAnd run the `Starlette` app with:\n\n```py\nimport uvicorn\nfrom starlette.applications import Starlette\nfrom starlette.routing import Mount\nfrom starlette.staticfiles import StaticFiles\n\n\nroutes = [\n    Mount(\"/static\", app=StaticFiles(directory=\"static\", html=True), name=\"static\"),\n]\n\napp = Starlette(routes=routes)\n\n\nif __name__ == \"__main__\":\n    uvicorn.run(app, host=\"0.0.0.0\", port=8000)\n```\n\nAnd running the commands:\n\n```shell\ncurl --path-as-is \u0027localhost:8000/static/../static_disallow/\u0027\ncurl --path-as-is \u0027localhost:8000/static/../static1.txt\u0027\n```\nThe `static1.txt` and the directory `static_disallow` are exposed.\n\n### Impact\nConfidentiality is breached: An attacker may obtain files that should not be open to the public.\n\n### Credits\nSecurity researcher **Masashi Yamane of LAC Co., Ltd** reported this vulnerability to **JPCERT/CC Vulnerability Coordination Group** and they contacted us to coordinate a patch for the security issue.\n",
  "id": "GHSA-v5gw-mw7f-84px",
  "modified": "2024-10-28T14:29:32Z",
  "published": "2023-05-17T03:49:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29159"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/starlette/commit/1797de464124b090f10cf570441e8292936d63e3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/encode/starlette"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2023-83.yaml"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN95981715"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Starlette has Path Traversal vulnerability in StaticFiles"
}

pysec-2023-83

Vulnerability from pysec

Published

2023-06-01 02:15

Modified

2023-06-08 05:25

Details

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

Impacted products

Name	purl
starlette	pkg:pypi/starlette

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "starlette",
        "purl": "pkg:pypi/starlette"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.5"
            },
            {
              "fixed": "0.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.13.5",
        "0.13.6",
        "0.13.7",
        "0.13.8",
        "0.14.0",
        "0.14.1",
        "0.14.2",
        "0.15.0",
        "0.16.0",
        "0.17.0",
        "0.17.1",
        "0.18.0",
        "0.19.0",
        "0.19.1",
        "0.20.0",
        "0.20.1",
        "0.20.2",
        "0.20.3",
        "0.20.4",
        "0.21.0",
        "0.22.0",
        "0.23.0",
        "0.23.1",
        "0.24.0",
        "0.25.0",
        "0.26.0",
        "0.26.0.post1",
        "0.26.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29159",
    "GHSA-v5gw-mw7f-84px"
  ],
  "details": "Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.",
  "id": "PYSEC-2023-83",
  "modified": "2023-06-08T05:25:54.818459Z",
  "published": "2023-06-01T02:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/encode/starlette/releases/tag/0.27.0"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN95981715/"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-29159 (GCVE-0-2023-29159)

Vulnerability from cvelistv5

fkie_cve-2023-29159

Vulnerability from fkie_nvd

gsd-2023-29159

Vulnerability from gsd

WID-SEC-W-2024-0423

Vulnerability from csaf_certbund

wid-sec-w-2024-0423

Vulnerability from csaf_certbund

cve-2023-29159

Vulnerability from jvndb

ghsa-v5gw-mw7f-84px

Vulnerability from github

Summary

Details

PoC

Impact

Credits

pysec-2023-83

Vulnerability from pysec

Tags

Sightings

Nomenclature