1219341 – (CVE-2024-23334) VUL-0: CVE-2024-23334: python-aiohttp: directory traversal vulnerability when 'follow_sysmlinks' is True and static routes are configured

Bug 1219341 (CVE-2024-23334) - VUL-0: CVE-2024-23334: python-aiohttp: directory traversal vulnerability when 'follow_sysmlinks' is True and static routes are configured

Summary: VUL-0: CVE-2024-23334: python-aiohttp: directory traversal vulnerability when...

Status:	IN_PROGRESS

Alias:	CVE-2024-23334

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	John Paul Adrian Glaubitz
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/392489/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-23334:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-01-30 09:20 UTC by SMASH SMASH
Modified:	2024-06-10 10:40 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-01-30 09:20:02 UTC

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.  Disabling follow_symlinks and using a reverse proxy are encouraged mitigations.  Version 3.9.2 fixes this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23334
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
https://www.cve.org/CVERecord?id=CVE-2024-23334
https://github.com/aio-libs/aiohttp/pull/8079

Patch:
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

Comment 1 Andrea Mattiazzo 2024-01-30 09:20:45 UTC

Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/python-aiohttp       
- SUSE:SLE-15-SP1:Update/python-aiohttp        3.6.0
- SUSE:SLE-15-SP4:Update/python-aiohttp             
- openSUSE:Factory/python-aiohttp

Comment 2 John Paul Adrian Glaubitz 2024-01-30 10:35:22 UTC

(In reply to Andrea Mattiazzo from comment #1)
> Tracking as affected:
> - SUSE:ALP:Source:Standard:1.0/python-aiohttp       
> - SUSE:SLE-15-SP1:Update/python-aiohttp        3.6.0
> - SUSE:SLE-15-SP4:Update/python-aiohttp             
> - openSUSE:Factory/python-aiohttp

Just submitted an update to 3.9.3 to openSUSE:Factory.

Will look at SUSE:SLE-15-SP1:Update and SUSE:SLE-15-SP4:Update now.

Comment 4 Maintenance Automation 2024-02-21 12:30:12 UTC

SUSE-SU-2024:0577-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1217174, 1217181, 1217782, 1219341, 1219342
CVE References: CVE-2023-47627, CVE-2023-47641, CVE-2024-23334, CVE-2024-23829
Sources used:
openSUSE Leap 15.4 (src): python-aiohttp-3.9.3-150400.10.14.1, python-time-machine-2.13.0-150400.9.3.1
openSUSE Leap 15.5 (src): python-aiohttp-3.9.3-150400.10.14.1
Python 3 Module 15-SP5 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.