cvelistv5 - cve-2024-39705

CVE-2024-39705 (GCVE-0-2024-39705)

Vulnerability from cvelistv5

Published

2024-06-27 00:00

Modified

2024-09-15 19:27

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Summary

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

References

URL

Tags

	cve@mitre.org	https://github.com/nltk/nltk/issues/2522
	cve@mitre.org	https://github.com/nltk/nltk/issues/3266
	cve@mitre.org	https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/issues/2522
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/issues/3266
	af854a3a-2127-422b-91ae-364da2661108	https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "nltk",
            "vendor": "nltk",
            "versions": [
              {
                "lessThanOrEqual": "3.8.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-39705",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-28T14:53:05.439937Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-502",
                "description": "CWE-502 Deserialization of Untrusted Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-15T19:27:36.034Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-19T07:47:43.179Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nltk/nltk/issues/3266"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nltk/nltk/issues/2522"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-26T15:37:28.272218",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/nltk/nltk/issues/3266"
        },
        {
          "url": "https://github.com/nltk/nltk/issues/2522"
        },
        {
          "url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-39705",
    "datePublished": "2024-06-27T00:00:00",
    "dateReserved": "2024-06-27T00:00:00",
    "dateUpdated": "2024-09-15T19:27:36.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-39705\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-06-27T22:15:10.543\",\"lastModified\":\"2024-11-21T09:28:15.537\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.\"},{\"lang\":\"es\",\"value\":\"NLTK hasta 3.8.1 permite la ejecuci\u00f3n remota de c\u00f3digo si los paquetes que no son de confianza tienen c\u00f3digo Python encurtido y se utiliza la funcionalidad de descarga de paquetes de datos integrada. Esto afecta, por ejemplo, a Averaged_perceptron_tagger y punkt.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/nltk/nltk/issues/2522\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/nltk/nltk/issues/3266\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/nltk/nltk/issues/2522\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/nltk/nltk/issues/3266\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/nltk/nltk/issues/3266\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/nltk/nltk/issues/2522\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-19T07:47:43.179Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39705\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-28T14:53:05.439937Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*\"], \"vendor\": \"nltk\", \"product\": \"nltk\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.8.1\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-28T15:01:48.579Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://github.com/nltk/nltk/issues/3266\"}, {\"url\": \"https://github.com/nltk/nltk/issues/2522\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-08-26T15:37:28.272218\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-39705\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-15T19:27:36.034Z\", \"dateReserved\": \"2024-06-27T00:00:00\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2024-06-27T00:00:00\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-39705

Vulnerability from fkie_nvd

Published

2024-06-27 22:15

Modified

2024-11-21 09:28

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	cve@mitre.org	https://github.com/nltk/nltk/issues/2522
	cve@mitre.org	https://github.com/nltk/nltk/issues/3266
	cve@mitre.org	https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/issues/2522
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/issues/3266
	af854a3a-2127-422b-91ae-364da2661108	https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt."
    },
    {
      "lang": "es",
      "value": "NLTK hasta 3.8.1 permite la ejecuci\u00f3n remota de c\u00f3digo si los paquetes que no son de confianza tienen c\u00f3digo Python encurtido y se utiliza la funcionalidad de descarga de paquetes de datos integrada. Esto afecta, por ejemplo, a Averaged_perceptron_tagger y punkt."
    }
  ],
  "id": "CVE-2024-39705",
  "lastModified": "2024-11-21T09:28:15.537",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-27T22:15:10.543",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/nltk/nltk/issues/2522"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/nltk/nltk/issues/3266"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nltk/nltk/issues/2522"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nltk/nltk/issues/3266"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

opensuse-su-2024:14103-1

Vulnerability from csaf_opensuse

Published

2024-07-04 00:00

Modified

2024-07-04 00:00

Summary

python310-nltk-3.8.1-2.1 on GA media

Notes

Title of the patch

python310-nltk-3.8.1-2.1 on GA media

Description of the patch

These are all security issues fixed in the python310-nltk-3.8.1-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-14103

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python310-nltk-3.8.1-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python310-nltk-3.8.1-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14103",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14103-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14751 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14751/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-39705 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-39705/"
      }
    ],
    "title": "python310-nltk-3.8.1-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-07-04T00:00:00Z",
      "generator": {
        "date": "2024-07-04T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14103-1",
      "initial_release_date": "2024-07-04T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-07-04T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-nltk-3.8.1-2.1.aarch64",
                "product": {
                  "name": "python310-nltk-3.8.1-2.1.aarch64",
                  "product_id": "python310-nltk-3.8.1-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-nltk-3.8.1-2.1.aarch64",
                "product": {
                  "name": "python311-nltk-3.8.1-2.1.aarch64",
                  "product_id": "python311-nltk-3.8.1-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-nltk-3.8.1-2.1.aarch64",
                "product": {
                  "name": "python312-nltk-3.8.1-2.1.aarch64",
                  "product_id": "python312-nltk-3.8.1-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-nltk-3.8.1-2.1.ppc64le",
                "product": {
                  "name": "python310-nltk-3.8.1-2.1.ppc64le",
                  "product_id": "python310-nltk-3.8.1-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-nltk-3.8.1-2.1.ppc64le",
                "product": {
                  "name": "python311-nltk-3.8.1-2.1.ppc64le",
                  "product_id": "python311-nltk-3.8.1-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-nltk-3.8.1-2.1.ppc64le",
                "product": {
                  "name": "python312-nltk-3.8.1-2.1.ppc64le",
                  "product_id": "python312-nltk-3.8.1-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-nltk-3.8.1-2.1.s390x",
                "product": {
                  "name": "python310-nltk-3.8.1-2.1.s390x",
                  "product_id": "python310-nltk-3.8.1-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-nltk-3.8.1-2.1.s390x",
                "product": {
                  "name": "python311-nltk-3.8.1-2.1.s390x",
                  "product_id": "python311-nltk-3.8.1-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-nltk-3.8.1-2.1.s390x",
                "product": {
                  "name": "python312-nltk-3.8.1-2.1.s390x",
                  "product_id": "python312-nltk-3.8.1-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-nltk-3.8.1-2.1.x86_64",
                "product": {
                  "name": "python310-nltk-3.8.1-2.1.x86_64",
                  "product_id": "python310-nltk-3.8.1-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-nltk-3.8.1-2.1.x86_64",
                "product": {
                  "name": "python311-nltk-3.8.1-2.1.x86_64",
                  "product_id": "python311-nltk-3.8.1-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-nltk-3.8.1-2.1.x86_64",
                "product": {
                  "name": "python312-nltk-3.8.1-2.1.x86_64",
                  "product_id": "python312-nltk-3.8.1-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-nltk-3.8.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.aarch64"
        },
        "product_reference": "python310-nltk-3.8.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-nltk-3.8.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.ppc64le"
        },
        "product_reference": "python310-nltk-3.8.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-nltk-3.8.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.s390x"
        },
        "product_reference": "python310-nltk-3.8.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-nltk-3.8.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.x86_64"
        },
        "product_reference": "python310-nltk-3.8.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-nltk-3.8.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.aarch64"
        },
        "product_reference": "python311-nltk-3.8.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-nltk-3.8.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.ppc64le"
        },
        "product_reference": "python311-nltk-3.8.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-nltk-3.8.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.s390x"
        },
        "product_reference": "python311-nltk-3.8.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-nltk-3.8.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.x86_64"
        },
        "product_reference": "python311-nltk-3.8.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-nltk-3.8.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.aarch64"
        },
        "product_reference": "python312-nltk-3.8.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-nltk-3.8.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.ppc64le"
        },
        "product_reference": "python312-nltk-3.8.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-nltk-3.8.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.s390x"
        },
        "product_reference": "python312-nltk-3.8.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-nltk-3.8.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.x86_64"
        },
        "product_reference": "python312-nltk-3.8.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-14751",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14751"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14751",
          "url": "https://www.suse.com/security/cve/CVE-2019-14751"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146427 for CVE-2019-14751",
          "url": "https://bugzilla.suse.com/1146427"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-14751"
    },
    {
      "cve": "CVE-2024-39705",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-39705"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-39705",
          "url": "https://www.suse.com/security/cve/CVE-2024-39705"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227174 for CVE-2024-39705",
          "url": "https://bugzilla.suse.com/1227174"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python310-nltk-3.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-nltk-3.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python312-nltk-3.8.1-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-04T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-39705"
    }
  ]
}

opensuse-su-2024:0222-1

Vulnerability from csaf_opensuse

Published

2024-07-26 10:41

Modified

2024-07-26 10:41

Summary

Security update for python-nltk

Notes

Title of the patch

Security update for python-nltk

Description of the patch

This update for python-nltk fixes the following issues: - CVE-2024-39705: Fixed remote code execution through unsafe pickle usage (boo#1227174).

Patchnames

openSUSE-2024-222

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-nltk",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-nltk fixes the following issues:\n\n- CVE-2024-39705: Fixed remote code execution through unsafe pickle usage (boo#1227174).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2024-222",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0222-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2024:0222-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/34GPGJ5MWORJ4EISDV3CLYKNIHC3Z7CC/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2024:0222-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/34GPGJ5MWORJ4EISDV3CLYKNIHC3Z7CC/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1227174",
        "url": "https://bugzilla.suse.com/1227174"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-39705 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-39705/"
      }
    ],
    "title": "Security update for python-nltk",
    "tracking": {
      "current_release_date": "2024-07-26T10:41:48Z",
      "generator": {
        "date": "2024-07-26T10:41:48Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:0222-1",
      "initial_release_date": "2024-07-26T10:41:48Z",
      "revision_history": [
        {
          "date": "2024-07-26T10:41:48Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-nltk-3.7-bp155.3.3.1.noarch",
                "product": {
                  "name": "python3-nltk-3.7-bp155.3.3.1.noarch",
                  "product_id": "python3-nltk-3.7-bp155.3.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP5",
                "product": {
                  "name": "SUSE Package Hub 15 SP5",
                  "product_id": "SUSE Package Hub 15 SP5"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-nltk-3.7-bp155.3.3.1.noarch as component of SUSE Package Hub 15 SP5",
          "product_id": "SUSE Package Hub 15 SP5:python3-nltk-3.7-bp155.3.3.1.noarch"
        },
        "product_reference": "python3-nltk-3.7-bp155.3.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-nltk-3.7-bp155.3.3.1.noarch as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-nltk-3.7-bp155.3.3.1.noarch"
        },
        "product_reference": "python3-nltk-3.7-bp155.3.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-39705",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-39705"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP5:python3-nltk-3.7-bp155.3.3.1.noarch",
          "openSUSE Leap 15.5:python3-nltk-3.7-bp155.3.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-39705",
          "url": "https://www.suse.com/security/cve/CVE-2024-39705"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227174 for CVE-2024-39705",
          "url": "https://bugzilla.suse.com/1227174"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP5:python3-nltk-3.7-bp155.3.3.1.noarch",
            "openSUSE Leap 15.5:python3-nltk-3.7-bp155.3.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-26T10:41:48Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-39705"
    }
  ]
}

opensuse-su-2024:0221-1

Vulnerability from csaf_opensuse

Published

2024-07-26 10:32

Modified

2024-07-26 10:32

Summary

Security update for python-nltk

Notes

Title of the patch

Security update for python-nltk

Description of the patch

This update for python-nltk fixes the following issues: - CVE-2024-39705: Fixed remote code execution through unsafe pickle usage (boo#1227174).

Patchnames

openSUSE-2024-221

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-nltk",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-nltk fixes the following issues:\n\n- CVE-2024-39705: Fixed remote code execution through unsafe pickle usage (boo#1227174).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2024-221",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0221-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2024:0221-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TPL3SFAM7D6T4BAZ4QKZPZDK5JXBAFFC/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2024:0221-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TPL3SFAM7D6T4BAZ4QKZPZDK5JXBAFFC/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1227174",
        "url": "https://bugzilla.suse.com/1227174"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-39705 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-39705/"
      }
    ],
    "title": "Security update for python-nltk",
    "tracking": {
      "current_release_date": "2024-07-26T10:32:35Z",
      "generator": {
        "date": "2024-07-26T10:32:35Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:0221-1",
      "initial_release_date": "2024-07-26T10:32:35Z",
      "revision_history": [
        {
          "date": "2024-07-26T10:32:35Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-nltk-3.7-bp156.4.3.1.noarch",
                "product": {
                  "name": "python3-nltk-3.7-bp156.4.3.1.noarch",
                  "product_id": "python3-nltk-3.7-bp156.4.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP6",
                "product": {
                  "name": "SUSE Package Hub 15 SP6",
                  "product_id": "SUSE Package Hub 15 SP6"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-nltk-3.7-bp156.4.3.1.noarch as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:python3-nltk-3.7-bp156.4.3.1.noarch"
        },
        "product_reference": "python3-nltk-3.7-bp156.4.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-nltk-3.7-bp156.4.3.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:python3-nltk-3.7-bp156.4.3.1.noarch"
        },
        "product_reference": "python3-nltk-3.7-bp156.4.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-39705",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-39705"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:python3-nltk-3.7-bp156.4.3.1.noarch",
          "openSUSE Leap 15.6:python3-nltk-3.7-bp156.4.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-39705",
          "url": "https://www.suse.com/security/cve/CVE-2024-39705"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227174 for CVE-2024-39705",
          "url": "https://bugzilla.suse.com/1227174"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:python3-nltk-3.7-bp156.4.3.1.noarch",
            "openSUSE Leap 15.6:python3-nltk-3.7-bp156.4.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-26T10:32:35Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-39705"
    }
  ]
}

ghsa-cgvx-9447-vcch

Vulnerability from github

Published

2024-06-28 00:33

Modified

2025-01-21 18:28

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

ntlk unsafe deserialization vulnerability

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nltk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-300",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-28T21:11:25Z",
    "nvd_published_at": "2024-06-27T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.",
  "id": "GHSA-cgvx-9447-vcch",
  "modified": "2025-01-21T18:28:57Z",
  "published": "2024-06-28T00:33:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/issues/2522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/issues/3266"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nltk/nltk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ntlk unsafe deserialization vulnerability"
}

CERTFR-2024-AVI-0780

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	IBM	QRadar Suite Software	QRadar Suite Software versions 1.10.12.x antérieures à 1.10.25.0
	IBM	QRadar WinCollect Agent	QRadar WinCollect Agent versions 1.x.x antérieures à 10.1.12

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7167599	2024-09-05	vendor-advisory
Bulletin de sécurité IBM 7168115	2024-09-11	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "QRadar Suite Software versions 1.10.12.x ant\u00e9rieures \u00e0 1.10.25.0",
      "product": {
        "name": "QRadar Suite Software",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar WinCollect Agent versions 1.x.x ant\u00e9rieures \u00e0 10.1.12",
      "product": {
        "name": "QRadar WinCollect Agent",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-37891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
    },
    {
      "name": "CVE-2024-34069",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34069"
    },
    {
      "name": "CVE-2024-39705",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39705"
    },
    {
      "name": "CVE-2024-7264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-7264"
    },
    {
      "name": "CVE-2024-5535",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5535"
    },
    {
      "name": "CVE-2024-35195",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35195"
    },
    {
      "name": "CVE-2024-6874",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6874"
    },
    {
      "name": "CVE-2024-41110",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
    },
    {
      "name": "CVE-2024-6119",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6119"
    },
    {
      "name": "CVE-2024-37890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37890"
    },
    {
      "name": "CVE-2024-6197",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6197"
    },
    {
      "name": "CVE-2024-6387",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6387"
    },
    {
      "name": "CVE-2024-39689",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39689"
    },
    {
      "name": "CVE-2024-6345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
    }
  ],
  "initial_release_date": "2024-09-13T00:00:00",
  "last_revision_date": "2024-09-13T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0780",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-09-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2024-09-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7167599",
      "url": "https://www.ibm.com/support/pages/node/7167599"
    },
    {
      "published_at": "2024-09-11",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7168115",
      "url": "https://www.ibm.com/support/pages/node/7168115"
    }
  ]
}

CERTFR-2025-AVI-0538

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans VMware Tanzu. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
VMware	Tanzu	Tanzu pour Postgres versions antérieures à 13.21.0
VMware	Tanzu	Tanzu pour Postgres versions 14.x antérieures à 14.18.0
VMware	Tanzu	Tanzu pour Postgres versions 17.x antérieures à 17.5.0
VMware	Tanzu	Tanzu pour Postgres versions 16x antérieures à 16.9.0
VMware	Tanzu	Tanzu pour Postgres versions 15.x antérieures à 15.13.0

References

Title

Publication Time

Tags

Bulletin de sécurité VMware 35866	2025-06-25	vendor-advisory
Bulletin de sécurité VMware 35867	2025-06-25	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Tanzu pour Postgres versions ant\u00e9rieures \u00e0 13.21.0",
      "product": {
        "name": "Tanzu",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Tanzu pour Postgres versions 14.x ant\u00e9rieures \u00e0 14.18.0",
      "product": {
        "name": "Tanzu",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Tanzu pour Postgres versions 17.x ant\u00e9rieures \u00e0 17.5.0",
      "product": {
        "name": "Tanzu",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Tanzu pour Postgres versions 16x ant\u00e9rieures \u00e0 16.9.0",
      "product": {
        "name": "Tanzu",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Tanzu pour Postgres versions 15.x ant\u00e9rieures \u00e0 15.13.0",
      "product": {
        "name": "Tanzu",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-24790",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24790"
    },
    {
      "name": "CVE-2023-29483",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29483"
    },
    {
      "name": "CVE-2024-37891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
    },
    {
      "name": "CVE-2021-3572",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3572"
    },
    {
      "name": "CVE-2024-5998",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5998"
    },
    {
      "name": "CVE-2024-31583",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-31583"
    },
    {
      "name": "CVE-2023-45288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
    },
    {
      "name": "CVE-2024-11392",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-11392"
    },
    {
      "name": "CVE-2024-56326",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56326"
    },
    {
      "name": "CVE-2024-24791",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
    },
    {
      "name": "CVE-2023-50447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50447"
    },
    {
      "name": "CVE-2024-34062",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34062"
    },
    {
      "name": "CVE-2024-7804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-7804"
    },
    {
      "name": "CVE-2024-39705",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39705"
    },
    {
      "name": "CVE-2024-34158",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
    },
    {
      "name": "CVE-2024-3571",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-3571"
    },
    {
      "name": "CVE-2024-51744",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-51744"
    },
    {
      "name": "CVE-2023-48795",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-48795"
    },
    {
      "name": "CVE-2024-24788",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24788"
    },
    {
      "name": "CVE-2024-3095",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-3095"
    },
    {
      "name": "CVE-2024-22195",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
    },
    {
      "name": "CVE-2024-11393",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-11393"
    },
    {
      "name": "CVE-2024-28219",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28219"
    },
    {
      "name": "CVE-2024-53899",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53899"
    },
    {
      "name": "CVE-2024-12720",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12720"
    },
    {
      "name": "CVE-2024-30251",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30251"
    },
    {
      "name": "CVE-2024-27306",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27306"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2024-35195",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35195"
    },
    {
      "name": "CVE-2019-20916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20916"
    },
    {
      "name": "CVE-2024-56201",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56201"
    },
    {
      "name": "CVE-2024-5569",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5569"
    },
    {
      "name": "CVE-2024-34156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34156"
    },
    {
      "name": "CVE-2024-5206",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5206"
    },
    {
      "name": "CVE-2024-27454",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27454"
    },
    {
      "name": "CVE-2024-42367",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-42367"
    },
    {
      "name": "CVE-2024-43497",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43497"
    },
    {
      "name": "CVE-2024-8309",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-8309"
    },
    {
      "name": "CVE-2024-0243",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-0243"
    },
    {
      "name": "CVE-2024-31580",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-31580"
    },
    {
      "name": "CVE-2024-24787",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24787"
    },
    {
      "name": "CVE-2024-52304",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52304"
    },
    {
      "name": "CVE-2025-4207",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-4207"
    },
    {
      "name": "CVE-2024-3651",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-3651"
    },
    {
      "name": "CVE-2022-42969",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42969"
    },
    {
      "name": "CVE-2025-1094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-1094"
    },
    {
      "name": "CVE-2024-34064",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34064"
    },
    {
      "name": "CVE-2024-23829",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-23829"
    },
    {
      "name": "CVE-2024-11394",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-11394"
    },
    {
      "name": "CVE-2023-47248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-47248"
    },
    {
      "name": "CVE-2025-30204",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30204"
    },
    {
      "name": "CVE-2024-24786",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24786"
    },
    {
      "name": "CVE-2024-39689",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39689"
    },
    {
      "name": "CVE-2024-34155",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
    },
    {
      "name": "CVE-2024-2965",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-2965"
    },
    {
      "name": "CVE-2024-28088",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28088"
    },
    {
      "name": "CVE-2024-24789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24789"
    },
    {
      "name": "CVE-2024-1455",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-1455"
    },
    {
      "name": "CVE-2024-23334",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-23334"
    }
  ],
  "initial_release_date": "2025-06-26T00:00:00",
  "last_revision_date": "2025-06-26T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0538",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-06-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans VMware Tanzu. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans VMware Tanzu",
  "vendor_advisories": [
    {
      "published_at": "2025-06-25",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 35866",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35866"
    },
    {
      "published_at": "2025-06-25",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 35867",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35867"
    }
  ]
}

CERTFR-2024-AVI-0750

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Security QRadar EDR	Security QRadar EDR version 3.12.x antérieures à 3.12.11
IBM	QRadar Assistant	QRadar Assistant version antérieures à 3.8.0
IBM	Cloud Pak	Cloud Pak versions 1.10.x.x antérieures à 1.10.25.0
IBM	Tivoli Monitoring	Tivoli Monitoring version 6.3.x antérieures à 6.3.0.7 Plus Service Pack 5
IBM	Sterling Control Center	Sterling Control Center version 6.2.1.x antérieures à 6.2.1.0 iFix13
IBM	QRadar Suite Software	QRadar Suite Software versions 1.10.x.x postérieures à 1.10.12.x et antérieures à 1.10.25.0

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7167122	2024-09-03	vendor-advisory
Bulletin de sécurité IBM 7167218	2024-09-04	vendor-advisory
Bulletin de sécurité IBM 7167607	2024-09-05	vendor-advisory
Bulletin de sécurité IBM 7166853	2024-09-05	vendor-advisory
Bulletin de sécurité IBM 7167599	2024-09-05	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Security QRadar EDR version 3.12.x ant\u00e9rieures \u00e0 3.12.11",
      "product": {
        "name": "Security QRadar EDR",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Assistant version ant\u00e9rieures \u00e0 3.8.0",
      "product": {
        "name": "QRadar Assistant",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cloud Pak versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.25.0",
      "product": {
        "name": "Cloud Pak",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Tivoli Monitoring version 6.3.x ant\u00e9rieures \u00e0 6.3.0.7 Plus Service Pack 5",
      "product": {
        "name": "Tivoli Monitoring",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Control Center version 6.2.1.x ant\u00e9rieures \u00e0 6.2.1.0 iFix13",
      "product": {
        "name": "Sterling Control Center",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Suite Software versions 1.10.x.x post\u00e9rieures \u00e0 1.10.12.x et ant\u00e9rieures \u00e0 1.10.25.0",
      "product": {
        "name": "QRadar Suite Software",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-37891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
    },
    {
      "name": "CVE-2024-35154",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35154"
    },
    {
      "name": "CVE-2024-37532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37532"
    },
    {
      "name": "CVE-2024-4068",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-4068"
    },
    {
      "name": "CVE-2024-38475",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38475"
    },
    {
      "name": "CVE-2024-34069",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34069"
    },
    {
      "name": "CVE-2024-40898",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40898"
    },
    {
      "name": "CVE-2022-41678",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41678"
    },
    {
      "name": "CVE-2024-40725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40725"
    },
    {
      "name": "CVE-2024-39705",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39705"
    },
    {
      "name": "CVE-2024-38474",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38474"
    },
    {
      "name": "CVE-2024-39884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39884"
    },
    {
      "name": "CVE-2024-38472",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38472"
    },
    {
      "name": "CVE-2024-35195",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35195"
    },
    {
      "name": "CVE-2024-38476",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38476"
    },
    {
      "name": "CVE-2024-41110",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
    },
    {
      "name": "CVE-2024-38477",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38477"
    },
    {
      "name": "CVE-2021-23727",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23727"
    },
    {
      "name": "CVE-2024-38473",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38473"
    },
    {
      "name": "CVE-2024-37890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37890"
    },
    {
      "name": "CVE-2024-39338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
    },
    {
      "name": "CVE-2024-6387",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6387"
    },
    {
      "name": "CVE-2024-35153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35153"
    },
    {
      "name": "CVE-2024-39689",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39689"
    },
    {
      "name": "CVE-2024-39573",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39573"
    },
    {
      "name": "CVE-2024-6345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
    }
  ],
  "initial_release_date": "2024-09-06T00:00:00",
  "last_revision_date": "2024-09-06T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0750",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-09-06T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2024-09-03",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7167122",
      "url": "https://www.ibm.com/support/pages/node/7167122"
    },
    {
      "published_at": "2024-09-04",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7167218",
      "url": "https://www.ibm.com/support/pages/node/7167218"
    },
    {
      "published_at": "2024-09-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7167607",
      "url": "https://www.ibm.com/support/pages/node/7167607"
    },
    {
      "published_at": "2024-09-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7166853",
      "url": "https://www.ibm.com/support/pages/node/7166853"
    },
    {
      "published_at": "2024-09-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7167599",
      "url": "https://www.ibm.com/support/pages/node/7167599"
    }
  ]
}

pysec-2024-167

Vulnerability from pysec

Published

2024-06-27 22:15

Modified

2025-01-18 19:19

Details

Impacted products

Name	purl
nltk	pkg:pypi/nltk

Aliases

CVE-2024-39705

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nltk",
        "purl": "pkg:pypi/nltk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8",
        "0.9",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "0.9.6",
        "0.9.7",
        "0.9.8",
        "0.9.9",
        "2.0.1",
        "2.0.1rc1",
        "2.0.1rc2-git",
        "2.0.1rc3",
        "2.0.1rc4",
        "2.0.2",
        "2.0.3",
        "2.0.4",
        "2.0.5",
        "2.0b4",
        "2.0b5",
        "2.0b6",
        "2.0b7",
        "2.0b8",
        "2.0b9",
        "3.0.0",
        "3.0.0b1",
        "3.0.0b2",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "3.0.5",
        "3.1",
        "3.2",
        "3.2.1",
        "3.2.2",
        "3.2.3",
        "3.2.4",
        "3.2.5",
        "3.3",
        "3.4",
        "3.4.1",
        "3.4.2",
        "3.4.3",
        "3.4.4",
        "3.4.5",
        "3.5",
        "3.5b1",
        "3.6",
        "3.6.1",
        "3.6.2",
        "3.6.3",
        "3.6.4",
        "3.6.5",
        "3.6.6",
        "3.6.7",
        "3.7",
        "3.8",
        "3.8.1",
        "3.9b1"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39705"
  ],
  "details": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.",
  "id": "PYSEC-2024-167",
  "modified": "2025-01-18T19:19:06.317325+00:00",
  "published": "2024-06-27T22:15:10+00:00",
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/nltk/nltk/issues/2522"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/nltk/nltk/issues/3266"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-39705 (GCVE-0-2024-39705)

Vulnerability from cvelistv5

Vulnerability from fkie_nvd

Vulnerability from csaf_opensuse

Vulnerability from csaf_opensuse

Vulnerability from csaf_opensuse

Vulnerability from github

Vulnerability from certfr_avis

Solutions

Vulnerability from certfr_avis

Solutions

Vulnerability from certfr_avis

Solutions

Vulnerability from pysec

Tags

Sightings

Nomenclature