Bug 1219341 (CVE-2024-23334)

Summary: VUL-0: CVE-2024-23334: python-aiohttp: directory traversal vulnerability when 'follow_sysmlinks' is True and static routes are configured
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: John Paul Adrian Glaubitz <adrian.glaubitz>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: adrian.glaubitz, andrea.mattiazzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392489/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23334:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-30 09:20:02 UTC 
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.  Disabling follow_symlinks and using a reverse proxy are encouraged mitigations.  Version 3.9.2 fixes this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23334
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
https://www.cve.org/CVERecord?id=CVE-2024-23334
https://github.com/aio-libs/aiohttp/pull/8079

Patch:
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
Comment 1 Andrea Mattiazzo 2024-01-30 09:20:45 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/python-aiohttp       
- SUSE:SLE-15-SP1:Update/python-aiohttp        3.6.0
- SUSE:SLE-15-SP4:Update/python-aiohttp             
- openSUSE:Factory/python-aiohttp
Comment 2 John Paul Adrian Glaubitz 2024-01-30 10:35:22 UTC 
(In reply to Andrea Mattiazzo from comment #1)
> Tracking as affected:
> - SUSE:ALP:Source:Standard:1.0/python-aiohttp       
> - SUSE:SLE-15-SP1:Update/python-aiohttp        3.6.0
> - SUSE:SLE-15-SP4:Update/python-aiohttp             
> - openSUSE:Factory/python-aiohttp

Just submitted an update to 3.9.3 to openSUSE:Factory.

Will look at SUSE:SLE-15-SP1:Update and SUSE:SLE-15-SP4:Update now.
Comment 4 Maintenance Automation 2024-02-21 12:30:12 UTC 
SUSE-SU-2024:0577-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1217174, 1217181, 1217782, 1219341, 1219342
CVE References: CVE-2023-47627, CVE-2023-47641, CVE-2024-23334, CVE-2024-23829
Sources used:
openSUSE Leap 15.4 (src): python-aiohttp-3.9.3-150400.10.14.1, python-time-machine-2.13.0-150400.9.3.1
openSUSE Leap 15.5 (src): python-aiohttp-3.9.3-150400.10.14.1
Python 3 Module 15-SP5 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.