Remote Code Execution Vulnerability in NLTK 3.8.1
CVE-2024-39705

9.8CRITICAL

Key Information:

Vendor: NLTK
Status: NLTK
Vendor: CVE Published:; 27 June 2024

What is CVE-2024-39705?

NLTK versions up to 3.8.1 are susceptible to a remote code execution vulnerability that can be exploited through the use of untrusted packages containing pickled Python code. This risk is heightened when utilizing the integrated data package download feature, exposing users to potential attacks. The vulnerability notably affects functionalities tied to components like averaged_perceptron_tagger and punkt, leading to critical security implications if not addressed promptly.

References

https://github.com/nltk/nltk/issues/3266

https://github.com/nltk/nltk/issues/2522

https://www.vicarius.io/vsociety/posts/rce-in-python-nltk...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2024

CVE-2024-39705 Data

JSON