#VU20543 Path traversal in Natural Language Toolkit - CVE-2019-14751

Cybersecurity Help s.r.o.

Published: 2019-09-02

Vulnerability identifier: #VU20543

Vulnerability risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-14751

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Natural Language Toolkit
Web applications / Modules and components for CMS

Vendor: nltk.org

Description

The vulnerability allows a remote attacker to write arbitrary files on the target system.

The vulnerability exists due to the affected software does not properly handle ZIP archives during extraction. A remote attacker can by extract a ZIP archive that contains malicious traversal characters and write arbitrary files via a ../ (dot dot slash) on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Natural Language Toolkit: 2.0.1 - 3.4.4

External links
https://github.com/mssalvatore/CVE-2019-14751_PoC
https://github.com/nltk/nltk/blob/3.4.5/ChangeLog
https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10
https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

OpenSUSE Linux update for python-nltk

Ubuntu update for NLTK

Path traversal in Natural Language Toolkit (NLTK)