CVE-2024-23334
Improperly configuring static resource resolution vulnerability in aiohttp

What is CVE-2024-23334 About?

This directory traversal vulnerability in aiohttp web server allows unauthorized reading of arbitrary files when 'follow_symlinks' is enabled for static routes. Attackers can exploit this by crafting malicious URLs to access files outside the intended static root directory. Exploitation is relatively straightforward with specific configuration settings present.

Affected Software

Technical Details

The vulnerability stems from an insecure configuration in aiohttp's static resource resolution when the `web.static` handler is configured with `follow_symlinks=True`. By default, this option permits symbolic links to point outside the designated static root directory. However, aiohttp's validation logic fails to check if a requested file path, after potential symlink resolution, still resides within the intended static root. This oversight allows an attacker to construct a URL that, when processed, traverses directory boundaries (e.g., using `../` sequences), even without actual symlinks being present. This enables unauthorized access to arbitrary files anywhere on the system that the aiohttp process has read permissions for, effectively bypassing the intended security boundary of the static file serving.

What is the Impact of CVE-2024-23334?

Successful exploitation may allow attackers to read arbitrary files from the file system, potentially leading to information disclosure of sensitive data, configuration files, or other system resources.

What is the Exploitability of CVE-2024-23334?

Exploitation of this vulnerability is simple, provided the `aiohttp` web server is configured with `web.static` and `follow_symlinks=True`. No authentication is required, as the vulnerability affects static file serving accessible to any client. There are no special privilege requirements for the attacker beyond making HTTP requests. This is a remote attack vector, where an attacker crafts a malicious URL to trigger directory traversal. The major prerequisite is the specific vulnerable configuration. The likelihood of exploitation is high when this configuration is in place, especially if it's exposed to untrusted users in a production environment, despite recommendations against such usage.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2024-23334?

Available Upgrade Options

• aiohttp
  • >1.0.5, <3.9.2 → Upgrade to 3.9.2
• aiohttp
  • <1c335944d6a8b1298baf179b7c0b3069f10c514b → Upgrade to 1c335944d6a8b1298baf179b7c0b3069f10c514b

Additional Resources

• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
• https://github.com/aio-libs/aiohttp/pull/8079
• https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
• https://github.com/aio-libs/aiohttp
• https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

What are Similar Vulnerabilities to CVE-2024-23334?

Similar Vulnerabilities: CVE-2021-41773 , CVE-2021-42013 , CVE-2022-26134 , CVE-2023-38035 , CVE-2021-3007