{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23334", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.443Z", "datePublished": "2024-01-29T22:41:39.584Z", "dateUpdated": "2024-08-01T22:59:32.152Z"}, "containers": {"cna": {"title": "aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f"}, {"name": "https://github.com/aio-libs/aiohttp/pull/8079", "tags": ["x_refsource_MISC"], "url": "https://github.com/aio-libs/aiohttp/pull/8079"}, {"name": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b", "tags": ["x_refsource_MISC"], "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/"}], "affected": [{"vendor": "aio-libs", "product": "aiohttp", "versions": [{"version": "< 3.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-29T22:41:39.584Z"}, "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue."}], "source": {"advisory": "GHSA-5h86-8mv2-jq9f", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.152Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f"}, {"name": "https://github.com/aio-libs/aiohttp/pull/8079", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aio-libs/aiohttp/pull/8079"}, {"name": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC18B2A9-9D80-4A6E-94E7-8FC010D8FC70", "versionEndExcluding": "3.9.2", "versionStartIncluding": "1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue."}, {"lang": "es", "value": "aiohttp es un framework cliente/servidor HTTP as\u00edncrono para asyncio y Python. Cuando se utiliza aiohttp como servidor web y se configuran rutas est\u00e1ticas, es necesario especificar la ruta ra\u00edz para los archivos est\u00e1ticos. Adem\u00e1s, la opci\u00f3n 'follow_symlinks' se puede utilizar para determinar si se deben seguir enlaces simb\u00f3licos fuera del directorio ra\u00edz est\u00e1tico. Cuando 'follow_symlinks' se establece en Verdadero, no hay validaci\u00f3n para verificar si la lectura de un archivo est\u00e1 dentro del directorio ra\u00edz. Esto puede generar vulnerabilidades de directory traversal, lo que resulta en acceso no autorizado a archivos arbitrarios en el sistema, incluso cuando no hay enlaces simb\u00f3licos presentes. Se recomiendan como mitigaciones deshabilitar follow_symlinks y usar un proxy inverso. La versi\u00f3n 3.9.2 soluciona este problema."}], "id": "CVE-2024-23334", "lastModified": "2024-02-09T03:15:09.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-29T23:15:08.563", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aio-libs/aiohttp/pull/8079"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/"}, {"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-controller-0:4.5.5-2.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-aiohttp-0:3.9.3-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-controller-0:4.5.5-2.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-aiohttp-0:3.9.3-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1536", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "python-aiohttp-0:3.9.2-0.1.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1536", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "package": "python-aiohttp-0:3.9.2-0.1.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:2010", "cpe": "cpe:/a:redhat:satellite:6.15::el8", "package": "python-aiohttp-0:3.9.2-1.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-04-23T00:00:00Z"}, {"advisory": "RHSA-2024:2010", "cpe": "cpe:/a:redhat:satellite_capsule:6.15::el8", "package": "python-aiohttp-0:3.9.2-1.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-04-23T00:00:00Z"}, {"advisory": "RHSA-2024:1878", "cpe": "cpe:/a:redhat:rhui:4::el8", "package": "python-aiohttp-0:3.9.2-1.el8ui", "product_name": "RHUI 4 for RHEL 8", "release_date": "2024-04-18T00:00:00Z"}], "bugzilla": {"description": "aiohttp: follow_symlinks directory traversal vulnerability", "id": "2261887", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2261887"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.", "A flaw was found in aiohttp. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory. This issue can lead to a directory traversal vulnerability, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present."], "mitigation": {"lang": "en:us", "value": "If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks that point to a location within the static root directory; it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.\nAdditionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low."}, "name": "CVE-2024-23334", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Out of support scope", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ansible-builder-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-cloud-services-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-minimal-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2024-01-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23334\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23334\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f"], "statement": "This vulnerability has been rated as having a moderate impact. There is a non-default precondition which is required to exploit it: the follow_symlinks setting needs to be enabled.", "threat_severity": "Moderate", "upstream_fix": "aiohttp 3.9.2"}