#VU105947 External Control of File Name or Path in Luigi - CVE-2024-21542

Cybersecurity Help s.r.o.

Published: 2025-03-21

Vulnerability identifier: #VU105947

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-21542

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Luigi
Web applications / Remote management & hosting panels

Vendor: Spotify

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to improper validation of file names when unpacking them from an archive in the _extract_packages_archive() function. A remote attacker can pass a specially crafted archive to the application and overwrite arbitrary files on the system (a.k.a. Zip Slip vulnerability).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Luigi: 1.0.16 - 3.5.2

External links
https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999
https://github.com/spotify/luigi/issues/3301
https://github.com/spotify/luigi/releases/tag/v3.6.0
https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arbitrary file overwrite in Spotify luigi