1227273 – (CVE-2024-39303) VUL-0: CVE-2024-39303: Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ...

Bug 1227273 (CVE-2024-39303) - VUL-0: CVE-2024-39303: Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ...

Summary: VUL-0: CVE-2024-39303: Weblate is a web based localization tool. Prior to ver...

Status:	IN_PROGRESS

Alias:	CVE-2024-39303

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Markéta Machová
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/412574/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-07-02 08:35 UTC by SMASH SMASH
Modified:	2024-07-19 07:46 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-07-02 08:35:16 UTC

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39303
https://www.cve.org/CVERecord?id=CVE-2024-39303
https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p

Comment 1 Markéta Machová 2024-07-09 09:52:48 UTC

Hi all, there is no weblate in Leap 15.6. Yes, it used to be built for Leap, but it wasn't in the supported stack, it was only for an in-house use. I think the "Product" field should be corrected to "openSUSE Tumbleweed", if it is possible.

Comment 2 Markéta Machová 2024-07-09 11:59:16 UTC

Update in progress in my home project.

Comment 3 Markéta Machová 2024-07-19 07:46:14 UTC

sent to Factory: https://build.opensuse.org/request/show/1188419