Lucene search

GoogleOSV:GHSA-CGVX-9447-VCCH

HistoryJun 28, 2024 - 12:33 a.m.

ntlk unsafe deserialization vulnerability

2024-06-2800:33:31

Google

osv.dev

nltk

remote code execution

vulnerability

pickled python code

data package download

averaged_perceptron_tagger

punkt

7.8 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

CPENameOperatorVersion
nltkeq2.0b4
nltkeq3.2.2
nltkeq3.4.5
nltkeq3.5
nltkeq0.9.9
nltkeq3.2.4
nltkeq3.2.5
nltkeq0.9.7
nltkeq3.0.1
nltkeq3.7

Name	Operator	Version
nltk	eq	2.0b4
nltk	eq	3.2.2
nltk	eq	3.4.5
nltk	eq	3.5
nltk	eq	0.9.9
nltk	eq	3.2.4
nltk	eq	3.2.5
nltk	eq	0.9.7
nltk	eq	3.0.1
nltk	eq	3.7

Rows per page:

1-10 of 591

References

github.com/nltk/nltk

github.com/nltk/nltk/issues/2522

github.com/nltk/nltk/issues/3266

nvd.nist.gov/vuln/detail/CVE-2024-39705