CVE-2024-12718Path Traversal in Software Foundation Cpython

CWE-22Path Traversal9 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.7%
top 28.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedJun 3
Latest updateJun 19

Description

Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.10.03.10.18+5

🔴Vulnerability Details

4
OSV
CVE-2024-12718: Allows modifying some file metadata (e2025-06-03
GHSA
GHSA-2pg8-h2j6-28xm: Allows modifying some file metadata (e2025-06-03
CVEList
Bypass extraction filter to modify file metadata outside extraction directory2025-06-03
OSV
CVE-2024-12718: Allows modifying some file metadata (e2025-06-03

📋Vendor Advisories

4
Ubuntu
Python vulnerabilities2025-06-19
Microsoft
Bypass extraction filter to modify file metadata outside extraction directory2025-06-10
Red Hat
cpython: python: Bypass extraction filter to modify file metadata outside extraction directory2025-06-03
Debian
CVE-2024-12718: jython - Allows modifying some file metadata (e.g. last modified) with filter="data" or f...2024
CVE-2024-12718 — Path Traversal | cvebase