Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jZ3Z4LTk0NDctdmNjaM4AA9aK
ntlk unsafe deserialization vulnerability
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
Permalink: https://github.com/advisories/GHSA-cgvx-9447-vcchJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZ3Z4LTk0NDctdmNjaM4AA9aK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-cgvx-9447-vcch, CVE-2024-39705
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39705
- https://github.com/nltk/nltk/issues/2522
- https://github.com/nltk/nltk/issues/3266
- https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
- https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
- https://github.com/advisories/GHSA-cgvx-9447-vcch
Blast Radius: 35.7
Affected Packages
pypi:nltk
Dependent packages: 1,440Dependent repositories: 57,572
Downloads: 21,062,912 last month
Affected Version Ranges: < 3.9
Fixed in: 3.9
All affected versions: 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.8.1, 3.8.2
All unaffected versions: 3.9.1