CVE-2024-21542: Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination...

7.7 CVSS

Description

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.

Classification

CVE ID: CVE-2024-21542

CVSS Base Severity: HIGH

CVSS Base Score: 7.7

Affected Products

Vendor: n/a

Product: luigi

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.85% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489
https://github.com/spotify/luigi/issues/3301
https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999
https://github.com/spotify/luigi/releases/tag/v3.6.0

Timeline

2024-12-11 00:30:51 UTC
CVE

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination...