{"id":"PYSEC-2024-159","details":"Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.","aliases":["CVE-2024-21542","GHSA-8qch-vj6m-2694"],"modified":"2025-01-14T05:56:53.717458Z","published":"2024-12-10T05:15:07Z","references":[{"type":"FIX","url":"https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999"},{"type":"REPORT","url":"https://github.com/spotify/luigi/issues/3301"},{"type":"WEB","url":"https://github.com/spotify/luigi/releases/tag/v3.6.0"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489"}],"affected":[{"package":{"name":"luigi","ecosystem":"PyPI","purl":"pkg:pypi/luigi"},"ranges":[{"type":"GIT","repo":"https://github.com/spotify/luigi","events":[{"introduced":"0"},{"fixed":"b5d1b965ead7d9f777a3216369b5baf23ec08999"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.6.0"}]}],"versions":["1.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0","1.1.1","1.1.2","1.2.1","1.3.0","2.0.0","2.0.1","2.1.0","2.1.1","2.2.0","2.3.0","2.3.1","2.3.2","2.3.3","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9","2.8.0","2.8.1","2.8.10","2.8.11","2.8.12","2.8.13","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","3.0.0","3.0.0b1","3.0.0b2","3.0.1","3.0.2","3.0.3","3.1.0","3.1.1","3.2.0","3.2.1","3.3.0","3.4.0","3.5.0","3.5.1","3.5.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/luigi/PYSEC-2024-159.yaml"}}],"schema_version":"1.7.3"}