Requests is a HTTP library. Prior to version 2.33.0, the requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Requests | Python | * | 2.33.0 (excluding) |
| Python-pip | Ubuntu | esm-apps/xenial | * |
| Requests | Ubuntu | esm-infra/xenial | * |
| Requests | Ubuntu | upstream | * |