CVE-2021-34363: The Fuck Arbitrary File Deletion via Path Traversal
(updated )
The thefuck (aka The Fuck) is app that corrects errors in previous console commands. The Fuck python package before 3.31 allows Path Traversal that leads to arbitrary file deletion via the undo archive operation feature.
References
- github.com/advisories/GHSA-8wwf-2644-f8x4
- github.com/nvbn/thefuck
- github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092
- github.com/nvbn/thefuck/releases/tag/3.31
- github.com/pypa/advisory-database/tree/main/vulns/thefuck/PYSEC-2021-97.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MEDDLBFVRUQHPYIBJ4MFM3M4NUJUXL5
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YA6UNQSOY6M3NJDZLS6YJXTS4WGDMEEJ
- nvd.nist.gov/vuln/detail/CVE-2021-34363
- vuln.ryotak.me/advisories/48
Code Behaviors & Features
Detect and mitigate CVE-2021-34363 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →