Rasa-Jmac

**Name of the Vulnerable Software and Affected Versions** Rasa X versions prior to 0.42.4 **Description** The issue allows Directory Traversal during archive extraction. In the functionality that allows a user to load a trained model archive, an attacker has arbitrary write capability within specific directories via a crafted archive file. **Recommendations** For versions prior to 0.42.4, update to version 0.42.4 or later to resolve the issue. As a temporary workaround, consider restricting the functionality that allows users to load trained model archives until a patch is applied. Avoid using crafted archive files that could exploit the Directory Traversal vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rasa versions prior to 2.8.10 **Description** A vulnerability exists in the functionality that loads a trained model `tar.gz` file, allowing a malicious actor to craft a `model.tar.gz` file that can overwrite or replace bot files in the bot directory. This issue enables an attacker to have arbitrary write capability within specific directories using a maliciously crafted archive file. **Recommendations** For versions prior to 2.8.10, update to Rasa 2.8.10 to fix the vulnerability. As a temporary workaround for users unable to update, ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.