CVE-2019-14751

Name of the Vulnerable Software and Affected Versions NLTK Downloader versions prior to 3.4.5

Description The issue is related to a directory traversal vulnerability, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction. This is due to the incorrect restriction of the directory path name with limited access in the unzip iter() function of the NLTK package loader. The exploitation of this issue may allow a remote attacker to record arbitrary files.

Recommendations For versions prior to 3.4.5, update to version 3.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the unzip iter() function until a patch is available. Avoid using the ../ (dot dot slash) in NLTK package ZIP archives to minimize the risk of exploitation.