CVE-2021-34363 : The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion vi

The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature.

Published 2021-06-10 11:15:09

Updated 2022-03-25 18:54:39

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Exploit prediction scoring system (EPSS) score for CVE-2021-34363

Probability of exploitation activity in the next 30 days: 0.21%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 58 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-34363

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:P	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	3.9	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2021-34363

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-34363

https://github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092

NA: Fix possible changes in files outside of working directory (#1206) · nvbn/thefuck@e343c57 · GitHub
Patch;Third Party Advisory
https://github.com/nvbn/thefuck/releases/tag/3.31

Release 3.31 · nvbn/thefuck · GitHub
Release Notes;Third Party Advisory
https://vuln.ryotak.me/advisories/48

Advisory #48 - RyotaK's Vuln DB
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YA6UNQSOY6M3NJDZLS6YJXTS4WGDMEEJ/

[SECURITY] Fedora 34 Update: thefuck-3.32-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MEDDLBFVRUQHPYIBJ4MFM3M4NUJUXL5/

[SECURITY] Fedora 35 Update: thefuck-3.32-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

Products affected by CVE-2021-34363

Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
The Fuck Project » The Fuck » For Python
Versions before (<) 3.31
cpe:2.3:a:the_fuck_project:the_fuck:*:*:*:*:*:python:*:*
Matching versions

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!