CVE-2024-39303 — External Control of File Name or Path in Weblate

CWE-73 — External Control of File Name or Path3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 36.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weblate Weblateorg Weblate

Timeline

PublishedJul 1

Description

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDweblate/weblate4.14 — 5.6.2

▶PyPIweblate/weblate4.14 — 5.6.2

▶CVEListV5weblateorg/weblate>= 4.14, < 5.6.2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Weblate vulnerable to improper sanitization of project backups↗2024-07-01

▶

OSV

Weblate vulnerable to improper sanitization of project backups↗2024-07-01

▶