DEBIAN-CVE-2024-23334
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | python-aiohttp | 0, 0 |
| Debian:13 | python-aiohttp | 0, 0 |
| Debian:12 | python-aiohttp | 3.8.4-1, 0, 3.8.4-1 |
| Debian:11 | python-aiohttp | 0, 0, 3.7.4-1 |
Exploit Intelligence
- Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1. (github-poc-repo)
- Sn0wBaall/CVE-2024-23334-PoC (github-poc-repo)
- Sn0wBaall/CVE-2024-23334-PoC (github-poc)
- A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1 (github-poc)
- This repository is a proof of concept (POC) for CVE-2024-23334, demonstrating an attempt to replicate the bug in aiohttp that leads to Local File Inclusion (LFI). (github-poc)
- Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1. (github-poc)
- Proof of concept of the parh traversal in python AioHTTP library =< 3.9.1 (github-poc)
- 0xR00/CVE-2024-23334 (github-poc)
- Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1 (github-poc)
- A proof of concept of the LFI vulnerability on aiohttp 3.9.1 (github-poc)
…and 10 more exploits
Timeline
- Jan 29, 2024 CVE Published
- Apr 28, 2026 CVE Updated