Cornac
Monthly
Arbitrary file write in Cornac's dataset-download utility (all versions before 2.6.0) lets an attacker who controls a downloaded TAR archive place files anywhere the Python process can write, because the _extract_archive() helper in cornac/utils/download.py calls archive.extractall() without validating member paths. Since Cornac's built-in dataset loaders automatically fetch and unpack archives, a poisoned or MITM'd dataset archive containing ../ traversal, absolute paths, or symlink/hardlink entries can overwrite sensitive files and potentially achieve code execution. VulnCheck reported the issue; no public exploit identified at time of analysis and it is not in CISA KEV.
Arbitrary file write in Cornac's dataset-download utility (all versions before 2.6.0) lets an attacker who controls a downloaded TAR archive place files anywhere the Python process can write, because the _extract_archive() helper in cornac/utils/download.py calls archive.extractall() without validating member paths. Since Cornac's built-in dataset loaders automatically fetch and unpack archives, a poisoned or MITM'd dataset archive containing ../ traversal, absolute paths, or symlink/hardlink entries can overwrite sensitive files and potentially achieve code execution. VulnCheck reported the issue; no public exploit identified at time of analysis and it is not in CISA KEV.