aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-9e55564ca7 advisory.

    Update to new upstream version (closes rhbz#2237124)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-6991-1 advisory.

    It was discovered that AIOHTTP did not properly restrict file access when the 'follow_symlinks' option was     set to True. A remote attacker could

    possibly use this issue to access unauthorized files on the system.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2010 advisory.

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s)     listed in the References section.

    Security fixes:
    * python-pygments: ReDoS in pygments (CVE-2022-40896)
    * python-pycryptodomex: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex     (CVE-2023-52323)
    * satellite: Arithmetic overflow in satellite (CVE-2023-4320)
    * automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
    * jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
    * python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)
    * rubygem-activesupport: File Disclosure of Locally Encrypted Files (CVE-2023-38037)
    * jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
    * python-django: Potential denial of service vulnerability in `django.utils.encoding.uri_to_iri()`     (CVE-2023-41164)
    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
    * python-aiohttp: Numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * python-aiohttp: HTTP request modification (CVE-2023-49081)
    * python-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
    * rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies (CVE-2024-21647)
    * rubygem-audited: Race condition can lead to audit logs being incorrectly attributed to the wrong user     (CVE-2024-22047)
    * python-jinja2: HTML attribute injection when passing user input as keys to xmlattr filter     (CVE-2024-22195)
    * python-aiohttp: Follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python-aiohttp: HTTP request smuggling (CVE-2024-23829)

    Additional Changes:
    This update also fixes several bugs and adds various enhancements.

    Documentation for these changes is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1536 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.
    Security Fix(es):

    * automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
    * python-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python-aiohttp: http request smuggling (CVE-2024-23829)
    * python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * python-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
    * python-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter     (CVE-2024-22195)

    Bug Fix(es):
    2266107 - hammer host list does not print parameters even if they are present in the fields list like LCE     and CVs.
    2266110 - Incremental update of *multiple* CVs with same repo of different content generates wrong katello     content     2266139 - Failed incremental CV import shows error: duplicate key value violates unique constraint     rpm_updatecollectionname_name_update_record_id_6ef33bed_uniq     2266140 - wrong links to provisioning guide in CR help     2266142 - When using the customer data (json) with 13 diff conf files, we can see some weird behavior when     updating the hypervisors     2266144 - Promoting a composite content view to environment with registry name as <%=     lifecycle_environment.label %>/<%= repository.name %> on Red Hat Satellite 6 fails with 'undefined     method '#label' for NilClass::Jail (NilClass)'     2266145 - CertificateCleanupJob fails with foreign key constraint violation on table cp_certificate     2266146 - katello:reimport fails with TypeError: no implicit conversion of String into Integer when     there are product contents to move     2266147 - Postgresql logs contain PG::UniqueViolation: ERROR: duplicate key value violates unique     constraint katello_available_module_streams_name_stream_context     2266148 - Adding a CV to a CCV lists CV versions disorderly     2266149 - 'Remove orphans' task fails on DeleteOrphanAlternateContentSources step     2266413 - [RFE] Add content view window and Update version window should display content view version,     description and publishing date     2266113 - [RFE] To make customers aware about satellite versions going EOL by adding warning banner on the     Login page or on the Dashboard page.
    2266141 - wrong link to scap content documentation     Users of Red Hat Satellite are advised to upgrade to these updated     packages, which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1878 advisory.

    Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant     framework that enables you to manage repositories and content. It also enables     cloud providers to deliver content and updates to Red Hat Enterprise Linux     (RHEL) instances.

    Security Fix(es):

    * python-django: Potential regular expression denial of service vulnerability in     EmailValidator/URLValidator (CVE-2023-36053)

    * python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

    * python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``     (CVE-2023-41164)

    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

    * python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

    * aiohttp: HTTP request modification (CVE-2023-49081)

    * python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

    * jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

    * aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

    * python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

    * python-aiohttp: http request smuggling (CVE-2024-23829)

    * Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

    * python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

    * aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

    This RHUI update fixes the following bugs:

    * The rhui-installer failed on RHEL 8.10 Beta due to the use of distutils. This has been addressed by     updating to a newer version of ansible-collection-community-crypto which does not use the distutils.

    This RHUI update introduces the following enhancements:

    * A native Ansible module is now used to update the packages on the RHUA server when the RHUI installer is     run for the first time or rerun at any time. This update can be prevented by using the --ignore-newer-     rhel-packages flag on the rhui-installer command line.

    * PulpCore has been updated to version 3.39.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1640 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-controller: Django: denial-of-service in 'intcomma' template filter (CVE-2024-24680)
    * automation-controller: aiohttp: http request smuggling (CVE-2024-23829)
    * automation-controller: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * automation-controller: Jinja2: HTML attribute injection when passing user input as keys to xmlattr     filter (CVE-2024-22195)
    * automation-controller: cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)
    * automation-controller: aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * automation-controller: Twisted: disordered HTTP pipeline response in twisted.web (CVE-2023-46137)
    * automation-controller: axios: exposure of confidential data stored in cookies (CVE-2023-45857)
    * automation-controller: GitPython: Blind local file inclusion (CVE-2023-41040)
    * python3-aiohttp/python39-aiohttp: http request smuggling (CVE-2024-23829)
    * python3-aiohttp/python39-aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python3-django/python39-django: Potential regular expression denial-of-service in     django.utils.text.Truncator.words() (CVE-2024-27351)
    * receptor: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads     (CVE-2024-1394)
    * receptor: golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests     (CVE-2023-39326)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes for automation controller:
    * Fixed bug where schedule prompted variables and survey answers were reset on edit when changing one of     the basic form fields (AAP-20967)
    * Fixed the update execution environment image to no longer fail jobs that use the previous image     (AAP-21733)
    * Removed string validation using comparisons of English literals for comparison, replacing validation     with error/op codes as a universal approach to validation and comparison (AAP-21721)
    * Fixed dispatcher to appropriately terminate child processes when dispatcher terminates (AAP-21049)
    * Fixed upgrade from Ansible Tower 3.8.6 to AAP 2.4 to no longer fail upon database schema migration     (AAP-19738)
    * automation-controller has been updated to 4.5.5

    Updates and fixes for receptor:
    * Fixes a receptor dialing issue where the connection attempt is timed out too aggressively (AAP-21838,     AAP-21828)
    * receptor has been updated to 1.4.5

    Additional fixes:
    * ansible-core has been updated to 2.15.10
    * ansible-runner has been updated to 2.3.6
    * python3-aiohttp/python39-aiohttp has been updated to 3.9.3
    * python3-django/python39-django has been updated  4.2.11
    * python3-pulpcore/python39-pulpcore has been updated 3.28.24

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0577-1 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP     has numerous problems with header parsing, which could lead to request smuggling. This parser is only used     when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in     commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There     are no known workarounds for these issues. (CVE-2023-47627)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of     aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol.
    HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are     present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison     other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a     configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend.
    As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore     this header and will parse Content-Length. The impact of this vulnerability is that it is possible to     bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is     present an Open Redirect an attacker could combine it to redirect random users to another website and log     the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to     upgrade. There are no known workarounds for this vulnerability. (CVE-2023-47641)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a     web server and configuring static routes, it is necessary to specify the root path for static files.
    Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links     outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check     if reading a file is within the root directory. This can lead to directory traversal vulnerabilities,     resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
    Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this     issue. (CVE-2024-23334)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts     of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error     handling to robustly match frame boundaries of proxies in order to protect against injection of additional     requests. Additionally, validation could trigger exceptions that were not handled consistently with     processing of other malformed input. Being more lenient than internet standards require could, depending     on deployment environment, assist in request smuggling. The unhandled exception could cause excessive     resource consumption on the application server and/or its logging facilities. This vulnerability exists     due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability. (CVE-2024-23829)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-0ddda4c691 advisory.

    Security update for CVE-2024-23334 and CVE-2024-23829

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.3

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-f249b74f03 advisory.

    Security update for CVE-2024-23334 and CVE-2024-23829

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2

    https://github.com/aio-libs/aiohttp/releases/tag/v3.9.3

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211350	Fedora 41 : python-gcsfs (2024-9e55564ca7)	Nessus	Fedora Local Security Checks	high
206686	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : AIOHTTP vulnerability (USN-6991-1)	Nessus	Ubuntu Local Security Checks	high
199805	RHEL 8 : Satellite 6.15.0 (Important) (RHSA-2024:2010)	Nessus	Red Hat Local Security Checks	high
194355	RHEL 8 : Satellite 6.14.3 Async Security Update (Moderate) (RHSA-2024:1536)	Nessus	Red Hat Local Security Checks	high
193467	RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)	Nessus	Red Hat Local Security Checks	high
193086	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:1640)	Nessus	Red Hat Local Security Checks	high
190879	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp, python-time-machine (SUSE-SU-2024:0577-1)	Nessus	SuSE Local Security Checks	high
190327	Fedora 38 : python-aiohttp (2024-0ddda4c691)	Nessus	Fedora Local Security Checks	high
189985	Fedora 39 : python-aiohttp (2024-f249b74f03)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2024-23334

high

Tenable Plugins

high

high

high

high

high

high

high

high

high