CVE-2024-23334

NameCVE-2024-23334
Descriptionaiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1062709

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-aiohttp (PTS)stretch1.2.0-1vulnerable
buster (security), buster, buster (lts)3.5.1-1+deb10u1vulnerable
bullseye3.7.4-1vulnerable
bookworm3.8.4-1vulnerable
sid, trixie3.10.10-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-aiohttpsourcestretch(unfixed)end-of-life
python-aiohttpsource(unstable)3.9.5-11062709

Notes

[bookworm] - python-aiohttp <no-dsa> (Minor issue)
[bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <no-dsa> (Minor issue)
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
https://github.com/aio-libs/aiohttp/pull/8079
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b (master)
https://github.com/aio-libs/aiohttp/commit/9118a5831e8a65b8c839eb7e4ac983e040ff41df (v3.9.2)
Search for package or bug name: Reporting problems