CVE-2019-14751 Detail Modified This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. Current Description NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.

View Analysis Description Analysis Description NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction. Severity CVSS Version 3.x CVSS Version 2.0



CVSS 3.x Severity and Metrics:

NIST: NVD Base Score: 7.5 HIGH Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS 2.0 Severity and Metrics:



NIST: NVD Base Score: 5.0 MEDIUM Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Weakness Enumeration CWE-ID CWE Name Source CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') NIST Known Affected Software Configurations Switch to CPE 2.2 CPEs loading, please wait. Denotes Vulnerable Software

Are we missing a CPE here? Please let us know.

Change History 5 change records found show changes CVE Modified by MITRE 4/01/2020 11:15:34 AM Action Type Old Value New Value Added Reference http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html [No Types Assigned]



CVE Modified by MITRE 3/31/2020 5:15:15 PM Action Type Old Value New Value Added Reference http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html [No Types Assigned]



CVE Modified by MITRE 3/27/2020 11:15:12 AM Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/ [No Types Assigned]



CVE Modified by MITRE 3/27/2020 6:15:12 AM Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/ [No Types Assigned]



Initial Analysis 8/29/2019 2:58:45 PM Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.5



Added CVSS V2 (AV:N/AC:L/Au:N/C:N/I:P/A:N)



Added CVSS V3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N



Added CWE CWE-22



Changed Reference Type https://github.com/mssalvatore/CVE-2019-14751_PoC No Types Assigned



https://github.com/mssalvatore/CVE-2019-14751_PoC Exploit, Patch, Third Party Advisory



Changed Reference Type https://github.com/nltk/nltk/blob/3.4.5/ChangeLog No Types Assigned



https://github.com/nltk/nltk/blob/3.4.5/ChangeLog Release Notes



Changed Reference Type https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10 No Types Assigned



https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10 Patch



Changed Reference Type https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/ No Types Assigned



https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/ Exploit, Patch, Third Party Advisory



Quick Info CVE Dictionary Entry:

CVE-2019-14751

NVD Published Date:

08/22/2019

NVD Last Modified:

03/27/2020

Source:

MITRE

