Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1qZmdwLTY3NHgtNnE0cM4AA9cu

Low CVSS: 2.1 EPSS: 0.00321% (0.54551 Percentile) EPSS:
Permalink JSON

Weblate vulnerable to improper sanitization of project backups

Affected Packages Affected Versions Fixed Versions
pypi:Weblate
PURL: pkg:pypi/weblate
>= 4.14, < 5.6.2 5.6.2
0 Dependent packages
2 Dependent repositories
9,745 Downloads last month

Affected Version Ranges

All affected versions

4.14.1, 4.14.2, 4.15.1, 4.15.2, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.18.1, 4.18.2, 5.0.1, 5.0.2, 5.1.1, 5.2.1, 5.3.1, 5.4.1, 5.4.2, 5.4.3, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.6.1

All unaffected versions

2.10.1, 2.13.1, 2.14.1, 2.17.1, 2.19.1, 3.0.1, 3.1.1, 3.2.1, 3.2.2, 3.5.1, 3.6.1, 3.7.1, 3.9.1, 3.10.1, 3.10.2, 3.10.3, 3.11.1, 3.11.2, 3.11.3, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.2.1, 4.2.2, 4.3.1, 4.3.2, 4.4.1, 4.4.2, 4.5.1, 4.5.2, 4.5.3, 4.6.1, 4.6.2, 4.7.1, 4.7.2, 4.8.1, 4.9.1, 4.10.1, 4.11.1, 4.11.2, 4.12.1, 4.12.2, 4.13.1, 5.6.2, 5.7.1, 5.7.2, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.9.1, 5.9.2, 5.10.1, 5.10.2, 5.10.3, 5.10.4, 5.11.1, 5.11.3, 5.11.4, 5.12.1, 5.12.2, 5.13.1, 5.13.2, 5.13.3, 5.14.1, 5.14.2, 5.14.3

Impact

Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to
files on the server using a crafted ZIP file.

Patches

This issue has been addressed in Weblate 5.6.2 via https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd.

Workarounds

Do not allow project creation to untrusted users.

References

Thanks to Bryan Cahill for bringing this issue to our attention.

For more information

If you have any questions or comments about this advisory:

References:

Identifiers

GHSA-jfgp-674x-6q4p

CVE-2024-39303

Risk

Severity

Low

CVSS

CVSS Score: 2.1

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS

EPSS Percentage: 0.00321

EPSS Percentile: 0.54551

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/WeblateOrg/weblate

Date and time

Published

over 1 year ago

Updated

12 months ago

API

JSON