Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3d2YtMjY0NC1mOHg0
The Fuck Arbitrary File Deletion via Path Traversal
The thefuck (aka The Fuck) is app that corrects errors in previous console commands. The Fuck python package before 3.31 allows Path Traversal that leads to arbitrary file deletion via the undo archive operation feature.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3d2YtMjY0NC1mOHg0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: 8 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Identifiers: GHSA-8wwf-2644-f8x4, CVE-2021-34363
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-34363
- https://github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092
- https://github.com/nvbn/thefuck/releases/tag/3.31
- https://vuln.ryotak.me/advisories/48
- https://lists.fedoraproject.org/archives/list/[email protected]/message/4MEDDLBFVRUQHPYIBJ4MFM3M4NUJUXL5/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/YA6UNQSOY6M3NJDZLS6YJXTS4WGDMEEJ/
- https://github.com/advisories/GHSA-8wwf-2644-f8x4
Blast Radius: 18.7
Affected Packages
pypi:thefuck
Dependent packages: 4Dependent repositories: 113
Downloads: 7,130 last month
Affected Version Ranges: < 3.31
Fixed in: 3.31
All affected versions: 1.49.1, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.9.1
All unaffected versions: