CVE-2024-39705Deserialization of Untrusted Data in Nltk

CWE-502Deserialization of Untrusted DataCWE-300Channel Accessible by Non-Endpoint5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
10.8%
top 6.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NltkDebian Nltk
Timeline
PublishedJun 27
Latest updateJun 28

Description

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

PyPInltk/nltk< 3.9
debiandebian/nltk< nltk 3.9.1-1 (forky)
Debiannltk/nltk< 3.9.1-1+1

🔴Vulnerability Details

3
GHSA
ntlk unsafe deserialization vulnerability2024-06-28
OSV
ntlk unsafe deserialization vulnerability2024-06-28
OSV
CVE-2024-39705: NLTK through 32024-06-27

📋Vendor Advisories

1
Debian
CVE-2024-39705: nltk - NLTK through 3.8.1 allows remote code execution if untrusted packages have pickl...2024