PT-2024-36562 · Unknown · Python-Libarchive
Csirttrizna
·
Published
2024-12-11
·
Updated
2024-12-15
·
CVE-2024-55587
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
python-libarchive versions 4.2.1 and earlier
Description
The issue allows directory traversal, enabling the creation of files in extract in zip.py for
ZipFile.extractall and ZipFile.extract functions. This can be exploited to create files outside the intended directory.Recommendations
For python-libarchive versions 4.2.1 and earlier, consider updating to a version that contains a fix for this issue. As a temporary workaround, restrict the use of the
ZipFile.extractall and ZipFile.extract functions until a patch is available. Avoid using these functions with untrusted zip files to minimize the risk of exploitation.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Python-Libarchive