CVE-2024-27306

EUVD-2024-1143
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
Affected Products (NVD)
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.9.4
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
aiohttpaiohttp
𝑥
< 3.9.4
ADP
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bookworm
ignored
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
3.7.4-1+deb11u1
fixed
buster
postponed
forky
3.13.1-1
fixed
sid
3.13.1-1
fixed
trixie
3.11.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
bionic
Fixed 3.0.1-1ubuntu0.1~esm5
released
focal
Fixed 3.6.2-1ubuntu1+esm4
released
jammy
Fixed 3.8.1-4ubuntu0.2+esm1
released
mantic
ignored
noble
Fixed 3.9.1-1ubuntu0.1+esm1
released
oracular
not-affected
plucky
not-affected
questing
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
https://github.com/aio-libs/aiohttp/pull/8319
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3/
https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
https://github.com/aio-libs/aiohttp/pull/8319
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3/