CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42367 – In aiohttp, compressed files as symlinks are not protected from path traversal
https://notcve.org/view.php?id=CVE-2024-42367
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. • https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177 https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674 https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f https://github.com/aio-libs/aiohttp/pull/8653 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj • CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30251 – Denial of service when trying to parse malformed POST requests in aiohttp
https://notcve.org/view.php?id=CVE-2024-30251
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. • http://www.openwall.com/lists/oss-security/2024/05/02/4 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84 https://access.redhat.com/security/cve/CVE-2024-30251 https://bugzilla.redhat.com/show_bug.cgi?id=2278710 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27306 – aiohttp vulnerable to XSS on index pages for static file handling
https://notcve.org/view.php?id=CVE-2024-27306
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. • https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397 https://github.com/aio-libs/aiohttp/pull/8319 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/mess • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.5EPSS: 8%CPEs: 2EXPL: 8CVE-2024-23334 – aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal
https://notcve.org/view.php?id=CVE-2024-23334
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. • https://github.com/jhonnybonny/CVE-2024-23334 https://github.com/ox1111/CVE-2024-23334 https://github.com/binaryninja/CVE-2024-23334 https://github.com/sxyrxyy/aiohttp-exploit-CVE-2024-23334-certstream https://github.com/z3rObyte/CVE-2024-23334-PoC https://github.com/s4botai/CVE-2024-23334-PoC https://github.com/wizarddos/CVE-2024-23334 https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b https://github.com/aio-libs/aiohttp/pull/8079 https://github.com&#x • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-23829 – aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
https://notcve.org/view.php?id=CVE-2024-23829
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. • https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827 https://github.com/aio-libs/aiohttp/pull/8074 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7 https://access.redhat.com/security/cve/CVE-2024-23829 https://bugzilla.redhat. • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •