WARNING: VULNERABILITY IN AIOHTTP FRAMEWORK ACTIVELY EXPLOITED AFTER POC RELEASE
Reference:
Advisory #2024-44
Version:
1.0
Affected software:
aiohttp < 3.9.2
Type:
Directory traversal vulnerability
CVE/CVSS:
CVE-2024-23334: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Datum:
15/03/2024
Sources
https://nvd.nist.gov/vuln/detail/CVE-2024-23334
Risks
"aiohttp" is an asynchronous HTTP client/server framework for asyncio and Python. All versions below 3.9.2 have a vulnerability (CVE-2024-23334) that can lead to unauthorized access to arbitrary files on the system. Successful exploitation could have an impact on data confidentiality.
A Proof-of-Concept (PoC) would have been released late February 2024, both for Windows and Linux. Active scanning for CVE-2024-23334 was observed after publication of the PoC, by known ransomware groups among others.
Description
CVE-2024-23334 is a directory traversal vulnerability, which can give an attacker unauthorized access to arbitrary files on the system.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. An update to aiohttp version 3.9.2 or later should fix the flaw.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.