Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-34363

CVE-2021-34363:
The Fuck Arbitrary File Deletion via Path Traversal

9.1

CVSS Score

Basic Information

CVE ID
CVE-2021-34363
GHSA ID
GHSA-8wwf-2644-f8x4
EPSS Score
-
CWE
CWE-22
Published
6/15/2021
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
thefuckpip< 3.313.31

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from archive processing functions that lacked path validation. The GitHub patch shows both dirty_untar.py and dirty_unzip.py had security checks added to their side_effect functions (os.path.abspath(file).startswith(os.getcwd())), confirming these were the vulnerable entry points. These functions handled archive extraction cleanup but didn't sanitize file paths, enabling traversal attacks when processing malicious archives with '../' paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** t***u*k (*k* _T** *u*k_) is *pp t**t *orr**ts *rrors in pr*vious *onsol* *omm*n*s. _T** *u*k_ pyt*on p**k*** ***or* *.** *llows P*t* Tr*v*rs*l t**t l***s to *r*itr*ry *il* **l*tion vi* t** `un*o *r**iv* op*r*tion` ***tur*.

Reasoning

T** vuln*r**ility st*ms *rom *r**iv* pro**ssin* *un*tions t**t l**k** p*t* v*li**tion. T** *it*u* p*t** s*ows *ot* *irty_unt*r.py *n* *irty_unzip.py *** s**urity ****ks ***** to t**ir si**_*****t *un*tions (os.p*t*.**sp*t*(*il*).st*rtswit*(os.**t*w*(