Advisory #52
TitleKeras arbitrary file overwrite via path traversal in "keras.utils.get_file"
CVE IDCVE-2021-35958
VendorKeras Team
Affected productKeras
Affected versions<= latest
Vulnerability typeCWE-22 (Path Traversal)
DescriptionDISPUTED: Keras has a vulnerability that allows a malicious archive file to overwrite arbitrary files on the machine via "keras.utils.get_file" function with "extract=True". NOTE: The vendor states that "Security conscious users would check the file, especially if they also pass the extract flag" (I've published this advisory to notify users.)
StatusNo fix available
RecommendationDo not use "keras.utils.get_file" to extract contents of untrusted archive file.