Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

Customers

Vulnerability IntelligenceCVE-2019-14751

CVE-2019-14751

HIGH7.5

NLTK Downloader before 3

Published Aug 22, 2019

Modified 1 years ago

Details

NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.

References

ADVISORY

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html

ADVISORY

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html

WEB

https://github.com/mssalvatore/CVE-2019-14751_PoC

WEB

https://github.com/nltk/nltk/blob/3.4.5/ChangeLog

WEB

https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10

ADVISORY

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/

ADVISORY

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/

WEB

https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2019-14751

CVSS Analysis

CVSS v3.0

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

HighI:H

Availability

NoneA:N

7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Ecosystems

Timeline

PublishedAug 22, 2019

ModifiedAug 5, 2024

CVE-2019-14751 | Mondoo Vulnerability Intelligence