Impact
An Archive Extraction (Zip Slip) vulnerability in the functionality that allows a user to load a trained model archive in Rasa X 0.42.3 and older allows an attacker arbitrary write capability within specific directories using a malicious crafted archive file.
Patches
The vulnerability is fixed in Rasa X 0.42.4
Workarounds
Mitigating steps for vulnerable end users are to ensure that they do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.
For more information
If you have any questions or comments about this advisory:
Impact
An Archive Extraction (Zip Slip) vulnerability in the functionality that allows a user to load a trained model archive in Rasa X 0.42.3 and older allows an attacker arbitrary write capability within specific directories using a malicious crafted archive file.
Patches
The vulnerability is fixed in Rasa X 0.42.4
Workarounds
Mitigating steps for vulnerable end users are to ensure that they do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.
For more information
If you have any questions or comments about this advisory: