CVE-2024-23334

EUVD-2024-0001

29.01.2024, 23:15

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.  Disabling follow_symlinks and using a reverse proxy are encouraged mitigations.  Version 3.9.2 fixes this issue.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_M	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
aiohttp	aiohttp	1.0.5 ≤ 𝑥 < 3.9.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-aiohttp

bookworm	3.8.4-1+deb12u1 fixed
bookworm (security)	3.8.4-1+deb12u1 fixed
bullseye	vulnerable
bullseye (security)	3.7.4-1+deb11u1 fixed
buster	no-dsa
forky	3.13.1-1 fixed
sid	3.13.1-1 fixed
trixie	3.11.16-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-aiohttp

bionic	Fixed 3.0.1-1ubuntu0.1~esm4 released
focal	Fixed 3.6.2-1ubuntu1+esm3 released
jammy	Fixed 3.8.1-4ubuntu0.2 released
mantic	ignored
noble	Fixed 3.9.1-1ubuntu0.1 released
oracular	ignored
plucky	needs-triage
questing	needs-triage
trusty	dne
xenial	needs-triage

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

https://github.com/aio-libs/aiohttp/pull/8079

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

https://github.com/aio-libs/aiohttp/pull/8079

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

https://www.exploit-db.com/exploits/52474