Main Vulnerability Database SB2024121265

SB2024121265 - Path traversal in SmartFile python-libarchive

Published: December 12, 2024 Updated: March 17, 2026

Security Bulletin ID SB2024121265

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) External Control of File Name or Path (CVE-ID: CVE-2024-55587)

The vulnerability allows a remote attacker to overwrite files on the system.

The vulnerability exists due to application does not properly validate filenames when extracting files within the extract() and extractall() methods in zip.py. A remote attacker can pass a specially crafted archive to the application and write file to arbitrary directories on the system using directory traversal characters.

Remediation

Install update from vendor's website.

References

https://github.com/smartfile/python-libarchive/blob/c7677411bfc4ab5701d343bc6ebd9e35c990e80e/libarchive/zip.py#L107
https://github.com/smartfile/python-libarchive/issues/42
https://github.com/smartfile/python-libarchive/pull/41