The ransomware actor “ShadowSyndicate” was observed searching for servers that could be exposed to the aiohttp Python library’s directory traversal vulnerability, CVE-2024-23334.
Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python’s Asyncio asynchronous I/O framework.
Tech companies, web developers, data scientists, and backend engineers use it to create high-performance web applications and services that combine data gathered from numerous external APIs.
On January 28, 2024, aiohttp published version 3.9.2, which addressed CVE-2024-23334, a high-severity path traversal issue that affects all versions of aiohttp from 3.9.1 and earlier and enables unauthenticated remote hackers to access files on susceptible servers.
When ‘follow_symlinks’ is set to ‘True’ for static routes, there is insu
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: