CVE-2021-34363
CRITICALthe_fuck < 3.31 - Path Traversal and Arbitrary File Deletion via Undo Archive Operation
Title source: llmDescription
The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature.
References (5)
Core 5
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/nvbn/thefuck/releases/tag/3.31
Third Party Advisory x_refsource_misc
https://vuln.ryotak.me/advisories/48
Patch, Third Party Advisory x_refsource_misc
https://github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MEDDLBFVRUQHPYIBJ4MFM3M4NUJUXL5/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YA6UNQSOY6M3NJDZLS6YJXTS4WGDMEEJ/
Scores
CVSS v3
9.1
EPSS
0.0185
EPSS Percentile
76.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (4)
fedoraproject/fedora
34
fedoraproject/fedora
35
pypi/thefuck
0 - 3.31PyPI
the_fuck_project/the_fuck
< 3.31
Published
Jun 10, 2021
Tracked Since
Feb 18, 2026