Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Vulnerability Description
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Vulnerability Type
不安全的临时文件
Vulnerability Title
Requests 安全漏洞
Vulnerability Description
Requests是Python基金会的一个优雅而简单的HTTP库。通过请求,您可以非常轻松地发送HTTP / 1.1请求。无需将查询字符串手动添加到您的URL,也无需对POST数据进行表单编码。 Requests 2.33.0之前版本存在安全漏洞,该漏洞源于extract_zipped_paths函数使用可预测文件名,可能导致本地攻击者加载恶意文件。
CVSS Information
N/A
Vulnerability Type
N/A