CVE-2023-29159

Name of the Vulnerable Software and Affected Versions Starlette versions 0.13.5 through 0.27.0

Description The issue is related to a directory traversal vulnerability in Starlette, which allows a remote unauthenticated attacker to view files in a web service built using Starlette. This is due to the incorrect limitation of the path name to a restricted directory. The vulnerability can be exploited to breach confidentiality and obtain files that should not be publicly accessible.

Recommendations For Starlette versions 0.13.5 through 0.27.0, consider disabling the StaticFiles directory or restricting access to it until a patch is available. As a temporary workaround, avoid using the os.path.commonprefix() function and instead use os.path.commonpath() to prevent path traversal attacks. Update to a version of Starlette that uses os.path.commonpath() to fix the issue.