thefuck is vulnerable to path traversal. Using “undo archive operation” feature allows deletion of arbitrary file outside of working directory.
CPE | Name | Operator | Version |
---|---|---|---|
thefuck | le | 3.30 | |
thefuck:sid | eq | 3.29-0.1 | |
thefuck:bullseye | eq | 3.29-0.1 |
github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092
github.com/nvbn/thefuck/releases/tag/3.31
lists.fedoraproject.org/archives/list/[email protected]/message/4MEDDLBFVRUQHPYIBJ4MFM3M4NUJUXL5/
lists.fedoraproject.org/archives/list/[email protected]/message/YA6UNQSOY6M3NJDZLS6YJXTS4WGDMEEJ/
vuln.ryotak.me/advisories/48