#VU96003 UNIX symbolic link following in aiohttp - CVE-2024-42367

Cybersecurity Help s.r.o.

Published: 2024-08-14

Vulnerability identifier: #VU96003

Vulnerability risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-42367

CWE-ID: CWE-61

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
aiohttp
Other software / Other software solutions

Vendor: aio-libs

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a symlink following issue when handling static routes which contain files with compressed variants in the FileResponse class even when "follow_symlinks=False" is set. A remote attacker can pass a specially crafted file to the application and perform directory traversal attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

aiohttp: 3.0.0 - 3.10.1

External links
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
https://github.com/aio-libs/aiohttp/pull/8653
https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Process Mining

Anolis OS update for python-aiohttp

Multiple vulnerabilities in Siebel CRM Cloud Applications

openEuler 24.03 LTS update for python-aiohttp

Multiple vulnerabilities in IBM QRadar Suite Software

Path traversal via symbolic links in aiohttp