Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-23334
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal
Source: NVD (National Vulnerability Database)
Vulnerability Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
aiohttp 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
aiohttp是一个开源的用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。 aiohttp 3.9.2之前版本存在路径遍历漏洞,该漏洞源于当follow_symlinks设置为 True 时,不会进行检查读取的文件是否位于根目录内,这可能会导致目录遍历漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
aio-libsaiohttp < 3.9.2 -
II. Public POCs for CVE-2024-23334
#POC DescriptionSource LinkShenlong Link
1CVE-2024-23334https://github.com/ox1111/CVE-2024-23334POC Details
2Nonehttps://github.com/sxyrxyy/aiohttp-exploit-CVE-2024-23334-certstreamPOC Details
3A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1https://github.com/z3rObyte/CVE-2024-23334-PoCPOC Details
4aiohttp LFI (CVE-2024-23334)https://github.com/jhonnybonny/CVE-2024-23334POC Details
5This repository contains a proof of concept about the exploitation of the aiohttp library for the reported vulnerability CVE-2024-23334.https://github.com/brian-edgar-re/poc-cve-2024-23334POC Details
6Expolit for CVE-2024-23334 (aiohttp >= 1.0.5> && <=3.9.1)https://github.com/binaryninja/CVE-2024-23334POC Details
7A proof of concept of the LFI vulnerability on aiohttp 3.9.1https://github.com/s4botai/CVE-2024-23334-PoCPOC Details
8Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1https://github.com/wizarddos/CVE-2024-23334POC Details
9Nonehttps://github.com/Pylonet/CVE-2024-23334POC Details
10Proof of concept of the parh traversal in python AioHTTP library =< 3.9.1https://github.com/Arc4he/CVE-2024-23334-PoCPOC Details
11Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1.https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoCPOC Details
12This repository is a proof of concept (POC) for CVE-2024-23334, demonstrating an attempt to replicate the bug in aiohttp that leads to Local File Inclusion (LFI).https://github.com/Betan423/CVE-2024-23334-PoCPOC Details
13A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1https://github.com/BestDevOfc/CVE-2024-23334-PoCPOC Details
14aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-23334.yamlPOC Details
15https://github.com/vulhub/vulhub/blob/master/python/CVE-2024-23334/README.mdPOC Details
16Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80%E6%BC%8F%E6%B4%9E/Python%20aiohttp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E%20CVE-2024-23334.mdPOC Details
17Nonehttps://github.com/0xR00/CVE-2024-23334POC Details
18Nonehttps://github.com/Sn0wBaall/CVE-2024-23334-PoCPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2024-23334
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: aiohttp
Same vendor: aio-libs
Same weakness: CWE-22
V. Comments for CVE-2024-23334

No comments yet

Leave a comment