Fluid Attacks Database

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	aiohttp	>=1.0.5 <3.9.2	3.9.2
debian 11	python-aiohttp	=3.7.4-1 \|\| >=0 <3.7.4-1+deb11u1	3.7.4-1+deb11u1
debian 14	python-aiohttp	>=0 <3.9.5-1	3.9.5-1
debian 12	python-aiohttp	=3.8.4-1 \|\| >=0 <3.8.4-1+deb12u1	3.8.4-1+deb12u1
debian 13	python-aiohttp	>=0 <3.9.5-1	3.9.5-1

Aliases

1. CVE-2024-233342. NVD-2024-233343. OSV-2024-233344. OSV-DEBIAN-2024-233345. GHSA-5h86-8mv2-jq9f6. GCVE-2024-233347. lists.debian.org8. SECURITY-TRACKER-CVE-2024-23334

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f2. https://github.com/aio-libs/aiohttp/pull/80793. https://github.com/aio-libs/aiohttp/pull/8079/files4. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b5. https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml6. https://lists.fedoraproject.org/archives/list/[email protected]/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD7. https://lists.fedoraproject.org/archives/list/[email protected]/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA78. https://www.exploit-db.com/exploits/524749. https://vulncheck.com/cve/CVE-2024-2333410. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-23334.yaml11. https://github.com/ox1111/CVE-2024-23334

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.