TencentOS Server 4: python-aiohttp (TSSA-2024:0266)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2024:0266.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239510);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2024-23334",
    "CVE-2024-23829",
    "CVE-2024-27306",
    "CVE-2024-30251"
  );

  script_name(english:"TencentOS Server 4: python-aiohttp (TSSA-2024:0266)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0266 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2024-30251:
    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an
    attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server
    processes it, the server will enter an infinite loop and be unable to process any further requests. An
    attacker can stop the application from serving requests after sending a single request. This issue has
    been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply
    a patch to their systems. Please see the linked GHSA for instructions.

    CVE-2024-27306:
    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists
    on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended
    using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are
    unaffected. Other users can disable `show_index` if unable to upgrade.

    CVE-2024-23829:
    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts
    of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error
    handling to robustly match frame boundaries of proxies in order to protect against injection of additional
    requests. Additionally, validation could trigger exceptions that were not handled consistently with
    processing of other malformed input.  Being more lenient than internet standards require could, depending
    on deployment environment, assist in request smuggling. The unhandled exception could cause excessive
    resource consumption on the application server and/or its logging facilities. This vulnerability exists
    due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

    CVE-2024-23334:
    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a
    web server and configuring static routes, it is necessary to specify the root path for static files.
    Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links
    outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check
    if reading a file is within the root directory. This can lead to directory traversal vulnerabilities,
    resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
    Disabling follow_symlinks and using a reverse proxy are encouraged mitigations.  Version 3.9.2 fixes this
    issue.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20240266.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-23334");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/07/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:python-aiohttp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'python-aiohttp-debugsource-3.9.5-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python-aiohttp-debugsource-3.9.5-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-aiohttp-3.9.5-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-aiohttp-3.9.5-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-aiohttp-debuginfo-3.9.5-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-aiohttp-debuginfo-3.9.5-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-aiohttp-debugsource / python3-aiohttp / python3-aiohttp-debuginfo');
}