CVE-2024-39303: 
Python vulnerability analysis and mitigation

Weblate, a web-based localization tool, was found to have a security vulnerability (CVE-2024-39303) prior to version 5.6.2. The vulnerability was related to improper validation of filenames during project backup restoration. The issue was discovered and disclosed in July 2024, affecting Weblate versions from 4.14 up to (but not including) 5.6.2 (GitHub Advisory).

The vulnerability stems from insufficient validation of filenames when restoring project backups. This could potentially allow an attacker to gain unauthorized access to files on the server through the use of a crafted ZIP file. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, while GitHub assessed it with a score of 4.4 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-73 (External Control of File Name or Path) (NVD).

If exploited, this vulnerability could allow attackers to gain unauthorized access to files on the server. The impact primarily affects the confidentiality and integrity of the system, with potential exposure of sensitive files through directory traversal (GitHub Advisory).

The vulnerability has been patched in Weblate version 5.6.2. For users unable to update immediately, the recommended workaround is to restrict project creation capabilities to trusted users only. The fix was implemented through a commit that adds proper validation of file paths during backup restoration (GitHub Patch).