CVE-2023-40587

Name of the Vulnerable Software and Affected Versions Pyramid versions 2.0.0 through 2.0.1

Description A path traversal vulnerability impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a index.html file located exactly one directory above the location of the static view's file system path. No further path traversal exists, and the only file that could be disclosed accidentally is index.html. The issue is related to the os.path.normpath function in Python 3.11, which truncates on the first 0x00 found. This behavior has been fixed in Python 3.12 and will be available in Python 3.11.5.

Recommendations For Pyramid versions 2.0.0 and 2.0.1, use a version of Python 3 that is not affected, downgrade to Python 3.10 series temporarily, or wait until Python 3.11.5 is released and upgrade to the latest version of Python 3.11 series. As a temporary workaround, consider avoiding the use of null-bytes in directory and file names. Restrict access to the index.html file located above the static view's file system path to minimize the risk of exploitation.