CVE-2024-23334

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-23334
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23334.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-23334
Aliases
Related
Published
2024-01-29T23:15:08Z
Modified
2024-10-12T11:18:16.808033Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'followsymlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

References

Affected packages

Debian:11 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.4-1
3.7.4-2
3.8.1-1
3.8.1-2
3.8.1-3
3.8.1-4
3.8.1-5
3.8.3-1
3.8.4-1
3.8.5-1
3.8.6-1
3.9.1-1
3.9.5-1
3.10.0-1
3.10.1-1
3.10.3-1
3.10.3-2
3.10.3-3
3.10.4-1
3.10.5-1
3.10.6-1
3.10.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1
3.8.5-1
3.8.6-1
3.9.1-1
3.9.5-1
3.10.0-1
3.10.1-1
3.10.3-1
3.10.3-2
3.10.3-3
3.10.4-1
3.10.5-1
3.10.6-1
3.10.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.5-1

Affected versions

3.*

3.8.4-1
3.8.5-1
3.8.6-1
3.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/aio-libs/aiohttp

Affected ranges

Type
GIT
Repo
https://github.com/aio-libs/aiohttp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.15.2
0.8.2

1.*

1.3.0

2.*

2.0.0
2.0.0rc1
2.0.1
2.0.2
2.0.3
2.0.3-1
2.0.4
2.0.5
2.0.6
2.0.7

4v0.*

4v0.21.6

v.*

v.0.6.5

v0.*

v0.1
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.14.4
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.16.5
v0.16.6
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.19.0
v0.2
v0.20.0
v0.20.1
v0.20.2
v0.21.0
v0.21.0a0
v0.21.0a1
v0.21.0a2
v0.21.1
v0.21.2
v0.21.3
v0.21.4
v0.21.5
v0.21.6
v0.22.0
v0.22.0b0
v0.22.0b1
v0.22.0b2
v0.22.0b3
v0.22.0b4
v0.22.0b5
v0.22.0b6
v0.22.1
v0.22.2
v0.22.3
v0.22.4
v0.22.5
v0.3
v0.4
v0.4.1
v0.4.2
v0.5.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.1
v0.8.3
v0.8.4
v0.9.0
v0.9.1
v0.9.2
v0.9.3

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.2.0

v2.*

v2.1.0
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.3.0
v2.3.0a1
v2.3.0a2
v2.3.0a3
v2.3.0a4
v2.3.1
v2.3.10
v2.3.1a1
v2.3.2
v2.3.2b1
v2.3.2b2
v2.3.2b3
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9

v3.*

v3.0.0
v3.0.0b0
v3.0.0b1
v3.0.0b2
v3.0.0b3
v3.0.0b4
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.3.0
v3.3.1
v3.3.1b1
v3.3.2
v3.3.2a0
v3.4.0
v3.4.0a0
v3.4.0a3
v3.4.0b1
v3.4.0b2
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.5.0
v3.5.0a1
v3.5.0b1
v3.5.0b2
v3.5.0b3
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.6.0
v3.6.0a0
v3.6.0a1
v3.6.0a10
v3.6.0a11
v3.6.0a12
v3.6.0a2
v3.6.0a3
v3.6.0a4
v3.6.0a5
v3.6.0a6
v3.6.0a7
v3.6.0a8
v3.6.0a9
v3.6.0b0
v3.6.1
v3.6.1b3
v3.6.1b4
v3.6.2
v3.6.2a1
v3.6.2a2
v3.7.0
v3.7.0b0
v3.7.0b1
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.4.post0
v3.8.0
v3.8.1
v3.8.2
v3.8.2a0
v3.8.3
v3.9.0
v3.9.0b0
v3.9.0b1
v3.9.0rc0

v4.*

v4.0.0a0
v4.0.0a1