CVE-2019-14751
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-14751
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-14751.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-14751
- Aliases
- Downstream
- Related
- Published
- 2019-08-22T16:15:10.213Z
- Modified
- 2025-11-14T09:13:24.440386Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/
- https://github.com/mssalvatore/CVE-2019-14751_PoC
- https://github.com/nltk/nltk/blob/3.4.5/ChangeLog
- https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/
- https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10
Affected packages
Git / github.com/nltk/nltk
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nltk/nltk
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed