Directory Traversal Affecting python3.11 package, versions <0:3.11.5-1.el9_3
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALMALINUX9-PYTHON311-6060660
- published 15 Nov 2023
- disclosed 7 Nov 2023
How to fix?
Upgrade AlmaLinux:9 python3.11 to version 0:3.11.5-1.el9_3 or higher.
This issue was patched in ALSA-2023:6494.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by AlmaLinux.
See How to fix? for AlmaLinux:9 relevant fixed versions and status.
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
References
- https://errata.almalinux.org/9/ALSA-2023-6324.html
- https://errata.almalinux.org/9/ALSA-2023-6494.html
- https://errata.almalinux.org/9/ALSA-2023-6659.html
- https://errata.almalinux.org/9/ALSA-2023-6694.html
- https://errata.almalinux.org/8/ALSA-2023-7024.html
- https://errata.almalinux.org/8/ALSA-2023-7034.html
- https://errata.almalinux.org/8/ALSA-2023-7050.html
- https://errata.almalinux.org/8/ALSA-2023-7151.html
- https://errata.almalinux.org/8/ALSA-2023-7176.html
- https://access.redhat.com/security/cve/CVE-2007-4559
- https://access.redhat.com/errata/RHSA-2023:6324
- https://access.redhat.com/errata/RHSA-2023:6494
- https://access.redhat.com/errata/RHSA-2023:6659
- https://access.redhat.com/errata/RHSA-2023:6694
- https://access.redhat.com/errata/RHSA-2023:7024
- https://access.redhat.com/errata/RHSA-2023:7034
- https://access.redhat.com/errata/RHSA-2023:7050
- https://access.redhat.com/errata/RHSA-2023:7151
- https://access.redhat.com/errata/RHSA-2023:7176
- http://mail.python.org/pipermail/python-dev/2007-August/074290.html
- http://mail.python.org/pipermail/python-dev/2007-August/074292.html
- http://secunia.com/advisories/26623
- http://www.vupen.com/english/advisories/2007/3022
- https://bugzilla.redhat.com/show_bug.cgi?id=263261
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVBB7NU3YIRRDOKLYVN647WPRR3IAKR6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FI55PGL47ES3OU2FQPGEHOI2EK3S2OBH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KA4Z44ZAI4SY7THCFBUDNT5EEFO4XQ3A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CVBB7NU3YIRRDOKLYVN647WPRR3IAKR6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FI55PGL47ES3OU2FQPGEHOI2EK3S2OBH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KA4Z44ZAI4SY7THCFBUDNT5EEFO4XQ3A/
- https://security.gentoo.org/glsa/202309-06