Lcttty

**Name of the Vulnerable Software and Affected Versions** aiohttp versions prior to 3.9.2 python3-aiohttp versions prior to 3.6.2-1ubuntu1+esm3 python3-module-aiohttp versions prior to 3.9.5-alt1 python310-aiohttp versions prior to 3.9.3-1.1 **Description** aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A directory traversal vulnerability exists due to insufficient validation when handling static file requests, specifically when the `follow symlinks` option is set to True. This allows a remote, unauthenticated attacker to access arbitrary files on the system by manipulating the request path. The ShadowSyndicate ransomware group has been observed scanning for systems vulnerable to this flaw. Approximately 43,000 instances are exposed globally, with a significant presence in the United States, Germany, and Spain. **Recommendations** - Upgrade aiohttp to version 3.9.2 or later. - Upgrade python3-aiohttp to version 3.6.2-1ubuntu1+esm3 or later. - Upgrade python3-module-aiohttp to version 3.9.5-alt1 or later. - Upgrade python310-aiohttp to version 3.9.3-1.1 or later. - If using `follow symlinks=True`, disable this option immediately, especially in production environments. - Consider using a reverse proxy server (such as nginx) to handle static resources instead of relying on aiohttp for this purpose.