#VU85886 Path traversal in aiohttp - CVE-2024-23334

Cybersecurity Help s.r.o.

Published: 2024-01-30 | Updated: 2024-11-29

Vulnerability identifier: #VU85886

Vulnerability risk: High

CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-23334

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
aiohttp
Other software / Other software solutions

Vendor: aio-libs

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in aiohttp.web.static(follow_symlinks=True). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Request examples:

For windows: /static/../D:\flag.txt Poc

For Linux: /static/../../../../etc/passwd

Mitigation
Install update from vendor's website.

Vulnerable software versions

aiohttp: 1.0.5 - 3.9.1

External links
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
https://github.com/aio-libs/aiohttp/pull/8079
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

openEuler 22.03 LTS SP3 update for python-aiohttp

openEuler 22.03 LTS SP4 update for python-aiohttp

openEuler 20.03 LTS SP4 update for python-aiohttp

Debian update for python-aiohttp

Fedora EPEL 8 update for python-aiohttp

Fedora 41 update for python-gcsfs

Ubuntu update for python-aiohttp

Multiple vulnerabilities in IBM Maximo Application Suite - IoT Component

Multiple vulnerabilities in IBM Storage Fusion HCI

Multiple vulnerabilities in Red Hat Satellite 6.15