{"id":"CVE-2024-21542","details":"Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.","aliases":["GHSA-8qch-vj6m-2694","PYSEC-2024-159"],"modified":"2026-03-13T22:55:43.691177Z","published":"2024-12-10T05:15:07.567Z","references":[{"type":"WEB","url":"https://github.com/spotify/luigi/releases/tag/v3.6.0"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489"},{"type":"REPORT","url":"https://github.com/spotify/luigi/issues/3301"},{"type":"FIX","url":"https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999"},{"type":"PACKAGE","url":"https://github.com/L3ster1337/Poc-CVE-2024-21542"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spotify/luigi","events":[{"introduced":"0"},{"fixed":"3d76fa24a0a86f1612720b0502c524698e52d40d"},{"fixed":"b5d1b965ead7d9f777a3216369b5baf23ec08999"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.6.0"}]}}],"versions":["1.0.16","1.0.22","1.0.23","1.0.24","1.1.0","1.1.1","1.1.2","1.2.1","1.3.0","2.0.0","2.0.1","2.1.0","2.1.1","2.2.0","2.3.0","2.3.1","2.3.2","2.3.3","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9","2.8.0","2.8.1","2.8.10","2.8.11","2.8.12","2.8.13","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","3.0.0","3.0.1","3.0.2","3.0.3","3.1.0","3.1.1","3.2.0","3.2.1","3.3.0","3.4.0","3.5.0","3.5.1","v1.0.17","v1.0.19","v1.0.21","v1.0.22","v1.2.0","v1.2.1","v3.5.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21542.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}