Published: 29/01/2024 Updated: 09/02/2024

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
aiohttp aiohttp
fedoraproject fedora 39

Debian Bug report logs - #1062709 python-aiohttp: CVE-2024-23334 Package: src:python-aiohttp; Maintainer for src:python-aiohttp is Debian Python Team <team+python@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 2 Feb 2024 21:06:01 UTC Severity: important Tags: security, upstream ...

DescriptionA flaw was found in aiohttp When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory When 'follow_symlinks' is set to True, the ...

A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1

CVE-2024-23334-PoC A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 391

DevSecOps-2024, МИИГАиК + Yadro Общая задача - развернуть выданный софт из архива source_apps Описание общих сервисов: OwnСloud (Необходимо развернуть предлагаемых код в docker-контейнере Может быть полезен dockerfile из: githubcom/own

CVE-2024-23334

[ CVE-2024-23334 :; 남의 exploit 리뷰 ] Review an exploit published by someone else 악용시 본인 책임 Abuse at your own risk nvdnistgov/vuln/detail/CVE-2024-23334 설치(install) python -m pip install --upgrade pip [ requirementstxt ] aiohttp==391 pip install -r requirementstxt pip show aiohttp test version Version 391 그림클릭하면 유튜브 재�

ЛохНесс

Лох-несское чудовище существует! Или нет? Выяснить это можно только с помощью глубоководного фотоэхолота, а он есть у единственной лаборатории поблизости Сайт лаборатории: t-nessy-ksevs93qspbctfnet Далее поище�

ЛохНесс

Лох-несское чудовище существует! Или нет? Выяснить это можно только с помощью глубоководного фотоэхолота, а он есть у единственной лаборатории поблизости Сайт лаборатории: t-nessy-ksevs93qspbctfnet Далее поище�

This repository contains a proof of concept about the exploitation of the aiohttp library for the reported vulnerability CVE-2024-23334.

poc-cve-2024-23334 This repository contains a proof of concept about the exploitation of the aiohttp library for the reported vulnerability CVE-2024-23334

Hackers exploit Aiohttp bug to find vulnerable networks

BleepingComputer • Bill Toulas • 16 Mar 2024

Hackers exploit Aiohttp bug to find vulnerable networks By Bill Toulas March 16, 2024 10:17 AM 0 The ransomware actor 'ShadowSyndicate' was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. Aiohttp is an open-source library built on top of Python's asynchronous I/O framework, Asyncio, to handle large amounts of concurrent HTTP requests without traditional thread-based networking. It is used by tech firms, web developers...

CVE-2024-23334

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect