fkie_cve-2024-12389
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-07-31 19:32
Severity ?
Summary
A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| binary-husky | gpt_academic | 2024-10-15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:binary-husky:gpt_academic:2024-10-15:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6DCF58-F2C2-4491-92A8-BAC81C60A9A4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de path traversal en binary-husky/gpt_academic versi\u00f3n git 310122f. La aplicaci\u00f3n permite la extracci\u00f3n de archivos 7z proporcionados por el usuario sin la validaci\u00f3n adecuada. El paquete Python py7zr utilizado para la extracci\u00f3n no garantiza que los archivos permanezcan en el directorio de extracci\u00f3n previsto. Un atacante puede explotar esta vulnerabilidad para realizar escrituras arbitrarias en archivos, lo que puede provocar la ejecuci\u00f3n remota de c\u00f3digo."
}
],
"id": "CVE-2024-12389",
"lastModified": "2025-07-31T19:32:25.923",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
]
},
"published": "2025-03-20T10:15:28.247",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-29"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…