Lucene search

GitHub_MCVELIST:CVE-2024-39303

HistoryJul 01, 2024 - 6:46 p.m.

CVE-2024-39303 Weblate vulnerabler to improper sanitization of project backups

2024-07-0118:46:18

CWE-73

GitHub_M

www.cve.org

weblate

localization tool

backup validation

unauthorized access

zip file

server security

workaround

untrusted users

4.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

CNA Affected

[
  {
    "vendor": "WeblateOrg",
    "product": "weblate",
    "versions": [
      {
        "version": ">= 4.14, < 5.6.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd

github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p

4.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVELIST:CVE-2024-39303