CVE-2024-21542 – luigi

Package

Manager: pip
Name: luigi
Vulnerable Version: >=0 <3.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.02514 pctl0.84828

Details

luigi Arbitrary File Write via Archive Extraction (Zip Slip) Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.

Metadata

Created: 2024-12-10T06:31:40Z
Modified: 2025-02-11T00:36:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-8qch-vj6m-2694/GHSA-8qch-vj6m-2694.json
CWE IDs: ["CWE-22", "CWE-29"]
Alternative ID: GHSA-8qch-vj6m-2694
Finding: F063
Auto approve: 1