CVE-2023-29159
Path Traversal vulnerability in starlette (PyPI)
What is CVE-2023-29159 About?
This path traversal vulnerability exists in Starlette's `StaticFiles` component due to improper use of `os.path.commonprefix()`. Attackers can access files or directories outside the designated `StaticFiles` root if their names start with the same prefix as the StaticFiles directory. This leads to information disclosure of sensitive files that should not be publicly accessible.
Affected Software
Technical Details
The root cause of this vulnerability lies in the StaticFiles component of Starlette, specifically its use of os.path.commonprefix() at https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87ddaf355b87dc/starlette/staticfiles.py#L172-L174. Unlike os.path.commonpath(), os.path.commonprefix() operates on a character-by-character basis and does not correctly interpret path components. When a request path such as /static/../static1.txt is processed and StaticFiles is configured for /static, os.path.commonprefix() determines ./static as the common prefix between ./static1.txt and ./static. This incorrect prefix calculation causes the system to erroneously believe that static1.txt is located within the /static directory, granting unauthorized access to files outside the intended static file serving directory. The attack vector involves crafting URLs with ../ sequences that leverage this prefix logic.
What is the Impact of CVE-2023-29159?
Successful exploitation may allow attackers to obtain sensitive information from files that should not be publicly accessible, leading to a breach of confidentiality.
What is the Exploitability of CVE-2023-29159?
Exploitation of this path traversal vulnerability is relatively straightforward and requires no authentication or special privileges, simply the ability to send HTTP requests to the vulnerable Starlette application. The attacker needs remote access to the web server. The complexity is low to medium, as it involves crafting URLs with directory traversal sequences (e.g., ../). There are no specific special conditions beyond the vulnerable configuration of StaticFiles and the presence of files or directories with names that share a common prefix with the static directory. The likelihood of exploitation increases if the application serves static files and has other potentially sensitive files or directories stored at sibling paths to the StaticFiles root.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-29159?
Available Upgrade Options
- starlette
- >0.13.5, <0.27.0 → Upgrade to 0.27.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2023-83.yaml
- https://github.com/encode/starlette/commit/1797de464124b090f10cf570441e8292936d63e3
- https://nvd.nist.gov/vuln/detail/CVE-2023-29159
- https://github.com/encode/starlette/releases/tag/0.27.0
- https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174
- https://jvn.jp/en/jp/JVN95981715
- https://jvn.jp/en/jp/JVN95981715/
- https://github.com/encode/starlette/releases/tag/0.27.0
- https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px
- https://github.com/encode/starlette
What are Similar Vulnerabilities to CVE-2023-29159?
Similar Vulnerabilities: CVE-2022-31045 , CVE-2020-13936 , CVE-2021-39293 , CVE-2020-10977 , CVE-2022-24348
