2294671 – (CVE-2024-39705) CVE-2024-39705 nltk: Remote Code Execution (RCE) via untrusted packages

Bug 2294671 (CVE-2024-39705) - CVE-2024-39705 nltk: Remote Code Execution (RCE) via untrusted packages

Summary: CVE-2024-39705 nltk: Remote Code Execution (RCE) via untrusted packages

Keywords:
Status:	NEW
Alias:	CVE-2024-39705
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2294672
Blocks:	2294670
TreeView+	depends on / blocked

Reported:	2024-06-28 01:30 UTC by Patrick Del Bello
Modified:	2024-07-03 14:15 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-06-28 01:30:58 UTC

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

References:
https://github.com/nltk/nltk/issues/2522
https://github.com/nltk/nltk/issues/3266
https://github.com/advisories/GHSA-cgvx-9447-vcch

Comment 1 Patrick Del Bello 2024-06-28 01:31:46 UTC

Created python-nltk tracking bugs for this issue:

Affects: fedora-all [bug 2294672]

Note You need to log in before you can comment on or make changes to this bug.