Critical

aim

Arbitrary File Overwrite via Malicious Tarfile Extraction

A vulnerability in version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to overwrite arbitrary files on the host server. This issue was patched in a subsequent release.

Available publicly on Aug 02 2024

9.1

CVE:

CVE-2024-6829

CWE:

73:External Control of File Name or Path

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Credit:

patrik-ha
AssessDetect

Premium

Remediate
Remediation Steps
  • Update to the latest version of the software where this vulnerability has been patched.
  • Avoid using tarfile.extractall() with untrusted tarfiles.
  • Implement validation checks to ensure that extracted paths do not traverse outside the intended directory.
  • Use a secure extraction method that handles path traversal attacks.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.