CVE-2024-12389

HIGH Year: 2024
CVSS v3 Score
8.8
High
Weakness Type
CWE-29
View all →

Vulnerability Description

A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.

Related Vulnerabilities

CVE-2024-11170

HIGH
CVSS:8.8(High)

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. This can lead to arbitrary file write and po...

CWE-292024

CVE-2023-6023

HIGH
CVSS:8.6(High)

An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter.

CWE-292023

CVE-2024-21542

HIGH
CVSS:8.6(High)

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive fu...

CWE-292024

CVE-2024-34470

HIGH
CVSS:8.6(High)

An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filt...

CWE-292024

CVE-2024-5211

CRITICAL
CVSS:9.1(Critical)

A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend against path traversal attacks. This vulnerability enables t...

CWE-292024

CVE-2024-5926

CRITICAL
CVSS:9.1(Critical)

A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service (DoS). This issue i...

CWE-292024