{"id":"PYSEC-2021-97","details":"The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the \"undo archive operation\" feature.","aliases":["CVE-2021-34363","GHSA-8wwf-2644-f8x4"],"modified":"2023-11-01T04:55:38.606950Z","published":"2021-06-10T11:15:00Z","references":[{"type":"ADVISORY","url":"https://vuln.ryotak.me/advisories/48"},{"type":"FIX","url":"https://github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092"},{"type":"WEB","url":"https://github.com/nvbn/thefuck/releases/tag/3.31"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8wwf-2644-f8x4"}],"affected":[{"package":{"name":"thefuck","ecosystem":"PyPI","purl":"pkg:pypi/thefuck"},"ranges":[{"type":"GIT","repo":"https://github.com/nvbn/thefuck","events":[{"introduced":"0"},{"fixed":"e343c577cd7da4d304b837d4a07ab4df1e023092"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.31"}]}],"versions":["0.1","1","1.0","1.1","1.11","1.12","1.13","1.14","1.15","1.16","1.17","1.18","1.19","1.2","1.20","1.21","1.22","1.23","1.26","1.27","1.28","1.29","1.3","1.30","1.31","1.32","1.33","1.34","1.35","1.36","1.37","1.38","1.39","1.4","1.40","1.41","1.42","1.43","1.44","1.45","1.46","1.47","1.48","1.49","1.49.1","1.5","1.6","1.7","1.8","1.9","1dev","2.0","2.1","2.2","2.3","2.4","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.6","2.7","2.8","2.9","2.9.1","3.0","3.1","3.10","3.11","3.12","3.13","3.14","3.15","3.16","3.17","3.18","3.19","3.2","3.20","3.21","3.22","3.23","3.24","3.25","3.26","3.27","3.28","3.29","3.3","3.30","3.4","3.5","3.6","3.7","3.8","3.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/thefuck/PYSEC-2021-97.yaml"}}],"schema_version":"1.7.3"}