NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2024-06-27
Fix Resolution (nltk): 3.8.2
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-43818
### Vulnerable Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-2309
### Vulnerable Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-21797
### Vulnerable Library - joblib-1.1.0-py2.py3-none-any.whl
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-34062
### Vulnerable Library - tqdm-4.48.2-py2.py3-none-any.whl
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerable Library - sumy-0.8.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-39705
### Vulnerable Library - nltk-3.5.zipNatural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/92/75/ce35194d8e3022203cca0d2f896dbb88689f9b3fce8e9f9cff942913519d/nltk-3.5.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - :x: **nltk-3.5.zip** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability DetailsNLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
Publish Date: 2024-06-27
URL: CVE-2024-39705
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-06-27
Fix Resolution (nltk): 3.8.2
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-43818
### Vulnerable Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whlPowerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - breadability-0.1.20.tar.gz - :x: **lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability Detailslxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
Publish Date: 2021-12-13
URL: CVE-2021-43818
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
Release Date: 2021-12-13
Fix Resolution (lxml): 4.6.5
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-2309
### Vulnerable Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whlPowerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - breadability-0.1.20.tar.gz - :x: **lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability DetailsNULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Publish Date: 2022-07-05
URL: CVE-2022-2309
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-07-05
Fix Resolution (lxml): 4.9.1
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-43854
### Vulnerable Library - nltk-3.5.zipNatural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/92/75/ce35194d8e3022203cca0d2f896dbb88689f9b3fce8e9f9cff942913519d/nltk-3.5.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - :x: **nltk-3.5.zip** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability DetailsNLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.
Publish Date: 2021-12-23
URL: CVE-2021-43854
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854
Release Date: 2021-12-23
Fix Resolution (nltk): 3.6.6
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-3842
### Vulnerable Library - nltk-3.5.zipNatural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/92/75/ce35194d8e3022203cca0d2f896dbb88689f9b3fce8e9f9cff942913519d/nltk-3.5.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - :x: **nltk-3.5.zip** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability Detailsnltk is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2022-01-04
URL: CVE-2021-3842
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x
Release Date: 2022-01-04
Fix Resolution (nltk): 3.6.6
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-3828
### Vulnerable Library - nltk-3.5.zipNatural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/92/75/ce35194d8e3022203cca0d2f896dbb88689f9b3fce8e9f9cff942913519d/nltk-3.5.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - :x: **nltk-3.5.zip** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability Detailsnltk is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-27
URL: CVE-2021-3828
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3828
Release Date: 2021-09-27
Fix Resolution (nltk): 3.6.4
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-21797
### Vulnerable Library - joblib-1.1.0-py2.py3-none-any.whlLightweight pipelining with Python functions
Library home page: https://files.pythonhosted.org/packages/3e/d5/0163eb0cfa0b673aa4fe1cd3ea9d8a81ea0f32e50807b0c295871e4aab2e/joblib-1.1.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - nltk-3.5.zip - :x: **joblib-1.1.0-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability DetailsThe package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Publish Date: 2022-09-26
URL: CVE-2022-21797
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-09-26
Fix Resolution (joblib): 1.2.0
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2022-0437
### Vulnerable Library - nltk-3.5.zipNatural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/92/75/ce35194d8e3022203cca0d2f896dbb88689f9b3fce8e9f9cff942913519d/nltk-3.5.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - :x: **nltk-3.5.zip** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability DetailsIn nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.
Publish Date: 2022-12-23
URL: WS-2022-0437
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/861a8d11-0fe9-4c2f-9112-af3a9559fa87/
Release Date: 2022-12-23
Fix Resolution (nltk): 3.8.1
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2022-0438
### Vulnerable Library - nltk-3.5.zipNatural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/92/75/ce35194d8e3022203cca0d2f896dbb88689f9b3fce8e9f9cff942913519d/nltk-3.5.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - :x: **nltk-3.5.zip** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability DetailsIn nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.
Publish Date: 2022-12-29
URL: WS-2022-0438
### CVSS 3 Score Details (5.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/cd3957f0-2c9c-416d-bc3a-190a5b7ce4a6/
Release Date: 2022-12-29
Fix Resolution (nltk): 3.8.1
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2024-34062
### Vulnerable Library - tqdm-4.48.2-py2.py3-none-any.whlFast, Extensible Progress Meter
Library home page: https://files.pythonhosted.org/packages/28/7e/281edb5bc3274dfb894d90f4dbacfceaca381c2435ec6187a2c6f329aed7/tqdm-4.48.2-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - sumy-0.8.1-py2.py3-none-any.whl (Root Library) - nltk-3.5.zip - :x: **tqdm-4.48.2-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability Detailstqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-05-03
URL: CVE-2024-34062
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Release Date: 2024-05-03
Fix Resolution (tqdm): 4.66.4
Direct dependency fix Resolution (sumy): 0.9.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.