JVN#95981715: Starlette vulnerable to directory traversal

Overview

Starlette contains a directory traversal vulnerability.

Products Affected

Starlette versions 0.13.5 and later and prior to 0.27.0

Description

Starlette provided by Encode contains a directory traversal vulnerability (CWE-22).

Impact

Under certain conditions, a remote attacker may view files in a web service which was built using the product.

Solution

Update the software
Update the software according to the information provided by the developer.
The developer has released the following version that addresses the vulnerability.

Starlette 0.27.0

Vendor Status

Vendor	Link
Encode	Path traversal vulnerability in StaticFiles
	Release Version 0.27.0

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score: 3.7

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Score: 4.3

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2023-29159
JVN iPedia	JVNDB-2023-000056

JVN#95981715 Starlette vulnerable to directory traversal