GHSA-4365-fhm5-qcrx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4365-fhm5-qcrx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-4365-fhm5-qcrx/GHSA-4365-fhm5-qcrx.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4365-fhm5-qcrx
- Aliases
- Related
- Published
- 2021-10-22T16:19:13Z
- Modified
- 2024-10-16T21:08:52.165252Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- Maliciously Crafted Model Archive Can Lead To Arbitrary File Write
- Details
-
Impact
An Archive Extraction (Zip Slip) vulnerability in the functionality that allows a user to load a trained model archive in Rasa 2.8.9 and older allows an attacker arbitrary write capability within specific directories using a malicious crafted archive file.
Patches
The vulnerability is fixed in Rasa 2.8.10
Workarounds
Mitigating steps for vulnerable end users are to ensure that they do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.
For more information
If you have any questions or comments about this advisory: * Email the Rasa Security Team
- Database specific
{ "nvd_published_at": "2021-10-21T21:15:00Z", "cwe_ids": [ "CWE-22", "CWE-23" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-10-21T20:32:19Z" }- References
Affected packages
PyPI / rasa
Package
- Name
- rasa
- View open source insights on deps.dev
- Purl
- pkg:pypi/rasa
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.8.10
Affected versions
0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.1.0
0.1.1
0.2.0a2
0.2.0a3
0.14.0a5
0.14.0a6
0.14.0a7
0.14.0a8
0.14.0a9
0.15.0a6
1.*
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0rc4
1.0.0rc5
1.0.0rc6
1.0.0rc7
1.0.0rc8
1.0.0rc9
1.0.0rc10
1.0.0rc11
1.0.0rc12
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.2.0a2
1.2.0a3
1.2.0a4
1.2.0a5
1.2.0a6
1.2.0a7
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.3.0a1
1.3.0a2
1.3.0
1.3.1a1
1.3.1a3
1.3.1a4
1.3.1a5
1.3.1a8
1.3.1a10
1.3.1a11
1.3.1a12
1.3.1a14
1.3.1
1.3.2
1.3.3
1.3.4
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.6.0a1
1.6.0a2
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1
1.8.2
1.8.3
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.10.0a1
1.10.0a2
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.10.10
1.10.11
1.10.12
1.10.13
1.10.14
1.10.15
1.10.16
1.10.17
1.10.18
1.10.19
1.10.20
1.10.21
1.10.22
1.10.23
1.10.24
1.10.25
1.10.26
2.*
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0a1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.4.1
2.4.2
2.4.3
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9