PT-2024-1487 · Pypi+5 · Aiohttp+5
Lcttty
+1
·
Published
2024-01-29
·
Updated
2026-02-04
·
CVE-2024-23334
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
aiohttp versions prior to 3.9.2
python3-aiohttp versions prior to 3.6.2-1ubuntu1+esm3
python3-module-aiohttp versions prior to 3.9.5-alt1
python310-aiohttp versions prior to 3.9.3-1.1
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A directory traversal vulnerability exists due to insufficient validation when handling static file requests, specifically when the
follow symlinks option is set to True. This allows a remote, unauthenticated attacker to access arbitrary files on the system by manipulating the request path. The ShadowSyndicate ransomware group has been observed scanning for systems vulnerable to this flaw. Approximately 43,000 instances are exposed globally, with a significant presence in the United States, Germany, and Spain.Recommendations
- Upgrade aiohttp to version 3.9.2 or later.
- Upgrade python3-aiohttp to version 3.6.2-1ubuntu1+esm3 or later.
- Upgrade python3-module-aiohttp to version 3.9.5-alt1 or later.
- Upgrade python310-aiohttp to version 3.9.3-1.1 or later.
- If using
follow symlinks=True, disable this option immediately, especially in production environments. - Consider using a reverse proxy server (such as nginx) to handle static resources instead of relying on aiohttp for this purpose.
Exploit
Fix
DoS
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Linuxmint
Red Os
Suse
Ubuntu
Aiohttp