CVE-2024-23334

Summary

CVE-2024-23334 affects the aiohttp asynchronous HTTP library for Python. This vulnerability arises when using aiohttp as a web server and setting up static routes. When the 'follow_symlinks' option is enabled, there is no validation to ensure that files being read are within the specified root directory. This lack of validation can result in directory traversal vulnerabilities, potentially granting unauthorized access to sensitive files on the system, even when symbolic links are not present. The recommended mitigations include disabling 'follow_symlinks' and implementing a reverse proxy. Version 3.9.2 of aiohttp addresses this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.