CVE-2024-39303

2024-07-0119:15:05

CWE-73

[email protected]

web.nvd.nist.gov

weblate

localization

filenames

backup

unauthorized access

server

zip file

security

vulnerability

fix

workaround

untrusted users

4.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

Affected configurations

Vulners

Node

weblateorgweblateRange4.14–5.6.2

CNA Affected

[
  {
    "vendor": "WeblateOrg",
    "product": "weblate",
    "versions": [
      {
        "version": ">= 4.14, < 5.6.2",
        "status": "affected"
      }
    ]
  }
]