CVE-2024-21542
Published: 10 December 2024
Summary
CVE-2024-21542 is a medium-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Snyk (inferred from references). Its CVSS base score is 6.6 (Medium).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Versions of the Luigi package prior to 3.6.0 contain a Zip Slip vulnerability that permits arbitrary file writes during archive extraction. The flaw stems from missing destination path validation inside the _extract_packages_archive function, which is tracked under CWE-29 and CWE-22 and carries a CVSS 4.0 score of 6.6.
An unauthenticated network attacker can supply a malicious archive that, when processed by the affected function, writes attacker-controlled files to arbitrary locations on the host filesystem. Successful exploitation can alter system files or configuration data, producing a high integrity impact while leaving confidentiality and availability largely unaffected.
The maintainers addressed the issue in release 3.6.0, with the corrective change committed to the repository; users are advised to upgrade to that version. A publicly available proof-of-concept exists, and the current EPSS of 0.1421 has remained flat since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0098
Vulnerability details
Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.