CVE-2023-40587
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2023-40587 is a path traversal vulnerability affecting Pyramid, an open-source Python web framework. This issue occurs in versions 2.0.0 and 2.0.1 when using a static view with a full filesystem path containing an `index.html` file located one directory above the static view's file system path on Python 3.11 systems. The vulnerability only discloses the `index.html` file, but it's crucial to note that null-bytes should not be used in file/directory naming. Python 3.12 and 3.11.5 will address the underlying issue by reverting the behavior of `os.path.normpath`. Users can apply workarounds, including upgrading to a non-affected Python version, downgrading to Python 3.10, or waiting for the Python 3.11.5 release.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Fedora Operating System
Affected Vendors
- Fedora Project