Vulnerability Description
Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.
CVSS Score
8.6
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Related Weaknesses (CWE)
References
- https://github.com/L3ster1337/Poc-CVE-2024-21542
- https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999
- https://github.com/spotify/luigi/issues/3301
- https://github.com/spotify/luigi/releases/tag/v3.6.0
- https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489
FAQ
What is CVE-2024-21542?
CVE-2024-21542 is a vulnerability with a CVSS score of 8.6 (HIGH). Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive fu...
How severe is CVE-2024-21542?
CVE-2024-21542 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-21542?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.