Fluid Attacks Database

Description

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	starlette	>=0 <0.28.0-1	0.28.0-1
debian 12	starlette	=0.26.1-1 \|\| >=0 <0.26.1-1+deb12u1	0.26.1-1+deb12u1
debian 11	starlette	=0.14.1-1 \|\| =0.16.0-1 \|\| =0.18.0-1 \|\| =0.20.4-1 \|\| =0.23.1-1 \|\| =0.24.0-1 \|\| =0.25.0-1 \|\| =0.25.0-2 \|\| =0.26.1-1 \|\| =0.28.0-1 \|\| =0.30.0-1 \|\| =0.31.1-1 \|\| =0.37.2-1 \|\| =0.38.2-1 \|\| =0.39.1-1 \|\| =0.39.2-1 \|\| =0.41.0-1 \|\| =0.41.2-1 \|\| =0.41.3-1 \|\| =0.41.3-2 \|\| =0.46.1-1 \|\| =0.46.1-2 \|\| =0.46.1-3 \|\| =0.50.0-1 \|\| =1.0.0-1	-
pypi	starlette	>=0.13.5 <0.27.0	0.27.0
debian 13	starlette	>=0 <0.28.0-1	0.28.0-1

Aliases

1. CVE-2023-291592. NVD-2023-291593. OSV-DEBIAN-2023-291594. OSV-2023-291595. GHSA-v5gw-mw7f-84px6. GCVE-2023-291597. SECURITY-TRACKER-CVE-2023-29159

References

1. https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px2. https://github.com/encode/starlette/commit/1797de464124b090f10cf570441e8292936d63e33. https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L1744. https://github.com/encode/starlette/releases/tag/0.27.05. https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2023-83.yaml6. https://jvn.jp/en/jp/JVN95981715

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.