CVE-2024-21542

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21542

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21542.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-21542

Aliases

Published

2024-12-10T05:15:07Z

Modified

2025-10-22T18:19:56.339804Z

Severity

6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the extractpackages_archive function.

References

Affected packages

Git / github.com/spotify/luigi

Affected ranges

Type: GIT
Repo: https://github.com/spotify/luigi
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3d76fa24a0a86f1612720b0502c524698e52d40d

Fixed

b5d1b965ead7d9f777a3216369b5baf23ec08999

Affected versions

1.*

1.0.16

1.0.22

1.0.23

1.0.24

1.1.0

1.1.1

1.1.2

1.2.1

1.3.0

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.5.0

2.6.0

2.6.1

2.6.2

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.8.0

2.8.1

2.8.10

2.8.11

2.8.12

2.8.13

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.4.0

3.5.0

3.5.1

v1.*

v1.0.17

v1.0.19

v1.0.21

v1.0.22

v1.2.0

v1.2.1

v3.*

v3.5.2