5.4

CVE-2024-39303

EPSS 0.44%
Veröffentlicht 01.07.2024 19:15:05
Zuletzt bearbeitet 21.11.2024 09:27:25
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Weblate ≫ Weblate Version >= 4.14 < 5.6.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.622

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	4.4	1.3	2.7	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd

Patch

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-39303

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39303

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39303

EUVD