CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52304 – aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions
https://notcve.org/view.php?id=CVE-2024-52304
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue. • https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42367 – In aiohttp, compressed files as symlinks are not protected from path traversal
https://notcve.org/view.php?id=CVE-2024-42367
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. • https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177 https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674 https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f https://github.com/aio-libs/aiohttp/pull/8653 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj • CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30251 – Denial of service when trying to parse malformed POST requests in aiohttp
https://notcve.org/view.php?id=CVE-2024-30251
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. • http://www.openwall.com/lists/oss-security/2024/05/02/4 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84 https://access.redhat.com/security/cve/CVE-2024-30251 https://bugzilla.redhat.com/show_bug.cgi?id=2278710 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27306 – aiohttp vulnerable to XSS on index pages for static file handling
https://notcve.org/view.php?id=CVE-2024-27306
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. • https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397 https://github.com/aio-libs/aiohttp/pull/8319 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/mess • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.5EPSS: 10%CPEs: 2EXPL: 8CVE-2024-23334 – aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal
https://notcve.org/view.php?id=CVE-2024-23334
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. • https://github.com/jhonnybonny/CVE-2024-23334 https://github.com/ox1111/CVE-2024-23334 https://github.com/binaryninja/CVE-2024-23334 https://github.com/sxyrxyy/aiohttp-exploit-CVE-2024-23334-certstream https://github.com/z3rObyte/CVE-2024-23334-PoC https://github.com/s4botai/CVE-2024-23334-PoC https://github.com/wizarddos/CVE-2024-23334 https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b https://github.com/aio-libs/aiohttp/pull/8079 https://github.com&#x • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •