Path Traversal Affecting python-semantic-release package, versions [,9.8.8)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-PYTHONSEMANTICRELEASE-8161345
- published3 Oct 2024
- disclosed1 Oct 2024
- creditUnknown
Introduced: 1 Oct 2024
CVE NOT AVAILABLE CWE-22 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade python-semantic-release to version 9.8.8 or higher.
Overview
python-semantic-release is an Automatic Semantic Versioning for Python projects
Affected versions of this package are vulnerable to Path Traversal in the RuntimeContext class of semantic_release/cli/config.py file, stems from using Path.resolve() without Path.absolute(), which may return relative paths on Windows for non-existent directories. This could allow attackers to access or modify files outside the intended repository directory.
Note: This only affects Windows users.