Upgrade Debian:11 thunderbird to version 1:128.6.0esr-1~deb11u1 or higher.

Path Traversal Affecting python-semantic-release package, versions [,9.8.8)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Path Traversal vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-PYTHONSEMANTICRELEASE-8161345
published3 Oct 2024
disclosed1 Oct 2024
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Oct 2024

CWE-22 (opens in a new tab)

How to fix?

Upgrade python-semantic-release to version 9.8.8 or higher.

Overview

python-semantic-release is an Automatic Semantic Versioning for Python projects

Affected versions of this package are vulnerable to Path Traversal in the RuntimeContext class of semantic_release/cli/config.py file, stems from using Path.resolve() without Path.absolute(), which may return relative paths on Windows for non-existent directories. This could allow attackers to access or modify files outside the intended repository directory.

Note: This only affects Windows users.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None