CVE-2024-21542: luigi Arbitrary File Write via Archive Extraction (Zip Slip)
(updated )
Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.
References
- github.com/advisories/GHSA-8qch-vj6m-2694
- github.com/pypa/advisory-database/tree/main/vulns/luigi/PYSEC-2024-159.yaml
- github.com/spotify/luigi
- github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999
- github.com/spotify/luigi/issues/3301
- github.com/spotify/luigi/releases/tag/v3.6.0
- nvd.nist.gov/vuln/detail/CVE-2024-21542
- security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489
Detect and mitigate CVE-2024-21542 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →