CVE-2023-40587

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Aug 25, 2023
Updated: Feb 16, 2024
CWE ID 22

Summary

CVE-2023-40587 is a path traversal vulnerability affecting Pyramid, an open-source Python web framework. This issue occurs in versions 2.0.0 and 2.0.1 when using a static view with a full filesystem path containing an `index.html` file located one directory above the static view's file system path on Python 3.11 systems. The vulnerability only discloses the `index.html` file, but it's crucial to note that null-bytes should not be used in file/directory naming. Python 3.12 and 3.11.5 will address the underlying issue by reverting the behavior of `os.path.normpath`. Users can apply workarounds, including upgrading to a non-affected Python version, downgrading to Python 3.10, or waiting for the Python 3.11.5 release.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Fedora Operating System

Affected Vendors

  • Fedora Project