BIT-PYTHON-MIN-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If shutil.unpackarchive is given a ZIP archive with an absolute Windows path containing a drive C:\... then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability...

UBUNTU-CVE-2026-3087

If shutil.unpackarchive is given a ZIP archive with an absolute Windows path containing a drive C:\... then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability...

PSF-2026-22

If shutil.unpackarchive is given a ZIP archive with an absolute Windows path containing a drive C:\... then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability...

PT-2026-35528

Name of the Vulnerable Software and Affected Versions CPython affected versions not specified Description On Windows, the shutil.unpack archive function fails to properly check for absolute paths within ZIP archives. If an archive contains a path with a drive letter e.g., C:, files may be extract...

EUVD-2020-0169

Malware in sbrugna...

SUSE CVE-2018-1000802

Python Software Foundation Python CPython version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in shutil module makearchive function that can result in Denial of service, Information gain via injection of arbitrary files on...

CVE-2022-23530 GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...

GHSA-78M5-JPMF-CH7V GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package

Summary Unsafe extracting using shutil.unpackarchive from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. Details Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destination file path is...

GitHub Security Lab: [Python]: Add shutil module sinks for path injection query

This bug was reported directly to GitHub Security Lab...

EulerOS Virtualization 3.0.2.2 : python (EulerOS-SA-2020-1472)

According to the versions of the python packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Python Software Foundation Python CPython version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a...

SUSE SLES12 Security Update : python3 (SUSE-SU-2019:2053-2)

This update for python3 fixes the following issues : CVE-2019-10160: Fixed a regression in urlparse and urlsplit introduced by the fix for CVE-2019-9636 bsc1138459. CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document bsc1109847. CVE-2018-1000802: Fixed a comma...

SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2053-1)

This update for python3 fixes the following issues : CVE-2019-10160: Fixed a regression in urlparse and urlsplit introduced by the fix for CVE-2019-9636 bsc1138459. CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document bsc1109847. CVE-2018-1000802: Fixed a comma...

openSUSE Security Update : python (openSUSE-2019-765)

This update for python fixes the following issue : - CVE-2018-1000802: Prevent command injection in shutil module makearchive function via passage of unfiltered user input bsc1109663 This update was imported from the SUSE:SLE-15:Update update project. %NASLMINLEVEL 70300 C Tenable Network Securit...

python 3.7 -- multiple vulnerabilities

Python changelog: bpo-37463: ssl.matchhostname no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inetaton implementations ignore whitespace and all data after whitespace, e.g.'127.0.0.1 whatever'. bpo-35907:...

The vulnerability of the `make_archive` function in the `shutil` module of the Python programming language interpreter (CPython) allows a malicious actor to trigger a service failure or gain unauthorized access to information.

The vulnerability of the makearchive function in the shutil module of the Python programming language interpreter CPython is related to errors in user input filtering. Exploiting this vulnerability could allow an attacker to cause service failures or gain unauthorized access to protected...

MGASA-2018-0495 Updated python packages fix security vulnerabilities

Possible denial of service vulnerability due to a missing check in Lib/wave.py to verify that at least one channel is provided CVE-2017-18207. Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service...

USN-3817-2: Python vulnerabilities

USN-3817-1 fixed a vulnerability in Python. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Python incorrectly handled large amounts of data. A remote attacker could use this issue to cause Python to crash, resulting in a denia...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Python vulnerabilities (USN-3817-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3817-1 advisory. It was discovered that Python incorrectly handled large amounts of data. A remote attacker could use this issue to cause Python t...

Security update for python (moderate)

This update for python fixes the following issue: - CVE-2018-1000802: Prevent command injection in shutil module makearchive function via passage of unfiltered user input bsc1109663 This update was imported from the SUSE:SLE-15:Update update project...

SUSE-SU-2018:3002-1 Security update for python

This update for python fixes the following issue: - CVE-2018-1000802: Prevent command injection in shutil module makearchive function via passage of unfiltered user input bsc1109663...