CVE-2024-21542

Name of the Vulnerable Software and Affected Versions: luigi versions prior to 3.6.0

Description: The issue is related to improper destination file path validation in the extract packages archive function, which can lead to arbitrary file write via archive extraction, also known as Zip Slip. This vulnerability can be exploited by a remote attacker using a specially crafted zip archive, potentially allowing them to execute arbitrary code.

Recommendations: For versions prior to 3.6.0, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider disabling the extract packages archive function until a patch is available. Restrict access to the archive extraction handler to minimize the risk of exploitation. Avoid using the vulnerable function to extract archives from untrusted sources until the issue is resolved.