CVE-2024-55587
Published: 12 December 2024
Summary
CVE-2024-55587 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
python-libarchive through version 4.2.1 contains a directory traversal vulnerability in the extract logic of libarchive/zip.py. The flaw affects the ZipFile.extractall and ZipFile.extract methods, which fail to properly sanitize paths when processing ZIP archives and therefore permit creation of files outside the intended destination directory. The issue is tracked as CVE-2024-55587, carries a CVSS 3.1 score of 8.8, and is categorized under CWE-22.
An attacker with low privileges can supply a malicious ZIP archive over the network and trigger extraction through the affected APIs. Successful exploitation results in arbitrary file writes that can overwrite or create files anywhere on the filesystem, enabling impacts to confidentiality, integrity, and availability.
The associated GitHub issue #42 and pull request #41 document the discovery and corrective changes to the zip extraction code, indicating that applying the fix from the repository eliminates the traversal vector. The EPSS score remains at 0.3734 with no material rise observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3441
Vulnerability details
python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.