GHSA-m8xw-9x5x-6vh3

Source

https://github.com/advisories/GHSA-m8xw-9x5x-6vh3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-m8xw-9x5x-6vh3/GHSA-m8xw-9x5x-6vh3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m8xw-9x5x-6vh3

Aliases

Published

2022-12-06T21:30:45Z

Modified

2024-02-16T08:07:09.758546Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

py7zr directory traversal vulnerability

Details

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.

References

Affected packages

PyPI / py7zr

Package

Name: py7zr; View open source insights on deps.dev
Purl: pkg:pypi/py7zr

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.20.1

Affected versions

0.*

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.2.0

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4a1

0.4a2

0.4b1

0.4

0.4.1

0.4.3

0.4.4

0.5a3

0.5a4

0.5b1

0.5b2

0.5b3

0.5b4

0.5b5

0.5b6

0.5rc2

0.5rc3

0.5

0.5.2

0.5.3

0.5.4

0.5.5

0.6a1

0.6a2

0.6b1

0.6b2

0.6b3

0.6b4

0.6b5

0.6b6

0.6b7

0.6b8

0.6rc0

0.6

0.7.0b1

0.7.0b2

0.7.0b3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.8.0a1

0.8.0a2

0.8.0a3

0.8.0b1

0.8.0b2

0.8.0b3

0.8.0b4

0.8.0b5

0.8.0b6

0.8.0b7

0.8.0b8

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.9.0a1

0.9.0a2

0.9.0b1

0.9.0b2

0.9.0b3

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.7

0.9.8

0.9.9

0.9.10

0.10.0a1

0.10.0a2

0.10.0a3

0.10.0a4

0.10.0a5

0.10.0a6

0.10.0b1

0.10.0b3

0.10.0

0.10.1

0.10.2

0.11.0a1

0.11.0b1

0.11.0b2

0.11.0b3

0.11.0

0.11.1

0.11.2

0.11.3

0.12.0

0.13.0

0.13.1

0.14.0

0.14.1

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.18.0

0.18.1

0.18.3

0.18.4

0.18.5

0.18.6

0.18.7

0.18.9

0.18.10

0.18.11

0.18.12

0.19.0

0.19.1

0.19.2

0.20.0

Ecosystem specific

{
    "affected_functions": [
        "py7zr.py7zr.SevenZipFile.extractall",
        "py7zr.py7zr.SevenZipFile._extract",
        "py7zr.py7zr.Worker._extract_single",
        "py7zr.py7zr.Worker.extract"
    ]
}

Database specific

{
    "last_known_affected_version_range": "<= 0.20.0"
}