Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading
Vulnerability Description
NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.
CVSS Information
N/A
Vulnerability Type
输入验证不恰当
Vulnerability Title
NLTK 输入验证错误漏洞
Vulnerability Description
NLTK是NLTK开源的一个自然语言工具包。用于支持自然语言处理的研究和开发。 NLTK 3.9.2及之前版本存在输入验证错误漏洞,该漏洞源于StanfordSegmenter模块输入验证不当,可能通过模型投毒、中间人攻击或依赖项投毒等方式导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A