Weblate vulnerable to improper sanitization of project backups

GHSA-jfgp-674x-6q4p · CVE-2024-39303

Published Jul 1, 2024 · Modified Nov 21, 2024

Description

Impact

Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to
files on the server using a crafted ZIP file.

Patches

This issue has been addressed in Weblate 5.6.2 via https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd.

Workarounds

Do not allow project creation to untrusted users.

References

Thanks to Bryan Cahill for bringing this issue to our attention.

For more information

If you have any questions or comments about this advisory:

Open a topic in discussions
Email us at care@weblate.org

References

WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-39303
WEB https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd
PACKAGE https://github.com/WeblateOrg/weblate

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes