Fedora Account System
Red Hat Associate
Red Hat Customer
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt. References: https://github.com/nltk/nltk/issues/2522 https://github.com/nltk/nltk/issues/3266 https://github.com/advisories/GHSA-cgvx-9447-vcch
Created python-nltk tracking bugs for this issue: Affects: fedora-all [bug 2294672]