pysec-2024-24
Vulnerability from pysec
Published
2024-01-29 23:15
Modified
2024-02-05 20:20
Severity ?
Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Aliases
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "aiohttp", "purl": "pkg:pypi/aiohttp" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1c335944d6a8b1298baf179b7c0b3069f10c514b" } ], "repo": "https://github.com/aio-libs/aiohttp", "type": "GIT" }, { "events": [ { "introduced": "1.0.5" }, { "fixed": "3.9.2" } ], "type": "ECOSYSTEM" } ], "versions": [ "1.0.5", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.2.0", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "2.0.0", "2.0.0rc1", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.3.0", "2.3.0a1", "2.3.0a2", "2.3.0a3", "2.3.0a4", "2.3.1", "2.3.10", "2.3.1a1", "2.3.2", "2.3.2b2", "2.3.2b3", "2.3.3", "2.3.4", "2.3.5", "2.3.6", "2.3.7", "2.3.8", "2.3.9", "3.0.0", "3.0.0b0", "3.0.0b1", "3.0.0b2", "3.0.0b3", "3.0.0b4", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.2.0", "3.2.1", "3.3.0", "3.3.0a0", "3.3.1", "3.3.2", "3.3.2a0", "3.4.0", "3.4.0a0", "3.4.0a3", "3.4.0b1", "3.4.0b2", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.5.0", "3.5.0a1", "3.5.0b1", "3.5.0b2", "3.5.0b3", "3.5.1", "3.5.2", "3.5.3", "3.5.4", "3.6.0", "3.6.0a0", "3.6.0a1", "3.6.0a11", "3.6.0a12", "3.6.0a2", "3.6.0a3", "3.6.0a4", "3.6.0a5", "3.6.0a6", "3.6.0a7", "3.6.0a8", "3.6.0a9", "3.6.0b0", "3.6.1", "3.6.1b3", "3.6.1b4", "3.6.2", "3.6.2a0", "3.6.2a1", "3.6.2a2", "3.6.3", "3.7.0", "3.7.0b0", "3.7.0b1", "3.7.1", "3.7.2", "3.7.3", "3.7.4", "3.7.4.post0", "3.8.0", "3.8.0a7", "3.8.0b0", "3.8.1", "3.8.2", "3.8.3", "3.8.4", "3.8.5", "3.8.6", "3.9.0", "3.9.0b0", "3.9.0b1", "3.9.0rc0", "3.9.1" ] } ], "aliases": [ "CVE-2024-23334", "GHSA-5h86-8mv2-jq9f" ], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option \u0027follow_symlinks\u0027 can be used to determine whether to follow symbolic links outside the static root directory. When \u0027follow_symlinks\u0027 is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.", "id": "PYSEC-2024-24", "modified": "2024-02-05T20:20:47.716944+00:00", "published": "2024-01-29T23:15:00+00:00", "references": [ { "type": "EVIDENCE", "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f" }, { "type": "ADVISORY", "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f" }, { "type": "FIX", "url": "https://github.com/aio-libs/aiohttp/pull/8079" }, { "type": "FIX", "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b" }, { "type": "ARTICLE", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.