CVE-2019-14751
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
NLTK Downloader versiones anteriores a 3.4.5, es vulnerable a un salto de directorio, lo que permite a atacantes escribir archivos arbitrarios por medio de un ../ (punto punto barra diagonal) en un paquete NLTK (archivo ZIP) que es manejado inapropiadamente durante la extracción.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-08-07 CVE Reserved
- 2019-08-20 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-08-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nltk/nltk/blob/3.4.5/ChangeLog | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://github.com/mssalvatore/CVE-2019-14751_PoC | 2024-08-05 | |
| https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10 | 2023-11-07 |