PyPi: Natcap.Invest

CVE-2007-4559

Safety vulnerability ID: 53729

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Aug 28, 2007 Updated at May 30, 2024
Scan your Python projects for vulnerabilities →

Advisory

Natcap.invest 3.12.1 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected package

natcap.invest

Latest version: 3.14.2

InVEST Ecosystem Service models

Affected versions

Fixed versions

Vulnerability changelog

-------------------
* General
* Fixed a possible path traversal vulnerability when working with datastack
archives. This patches CVE-2007-4559, reported to us by Trellix.
https://github.com/natcap/invest/issues/1113
* Updating descriptions for LULC about text and biophysical table for
clarity in model specs. https://github.com/natcap/invest/issues/1077
* Workbench
* Fixed a bug where the Workbench would become unresponsive during an
InVEST model run if the model emitted a very high volume of log messages.
* Fixed a bug where the Workbench could crash if there was too much
standard error emitted from an invest model.
* Added a new "Save as" dialog window to handle different save options, and
allow the option to use relative paths in a JSON datastack
(`1088 <https://github.com/natcap/invest/issues/1088>`_)
* Fixed a bug where uncaught exceptions in the React tree would result in
a blank browser window.
(`1119 <https://github.com/natcap/invest/issues/1119>`_)
* Habitat Quality
* All spatial inputs including the access vector and threat rasters are
now reprojected to the ``lulc_cur_path`` raster. This fixes a bug where
rasters with a different SRS would appear to not intersect the
``lulc_cur_path`` even if they did. (https://github.com/natcap/invest/issues/1093)
* Paths in the threats table may now be either absolute or relative to the
threats table.
* HRA
* Fixed a regression relative to InVEST 3.9.0 outputs where spatial
criteria vectors were being rasterized with the ``ALL_TOUCHED=TRUE``
flag, leading to a perceived buffering of spatial criteria in certain
cases. In InVEST 3.9.0, these were rasterized with ``ALL_TOUCHED=FALSE``.
https://github.com/natcap/invest/issues/1120
* Fixed an issue with the results table, ``SUMMARY_STATISTICS.csv`` where
the percentages of high, medium and low risk classifications were not
correctly reported.
* Added a column to the ``SUMMARY_STATISTICS.csv`` output table to also
report the percentage of pixels within each subregion that have no risk
classification (a risk classification of 0).
* Urban Stormwater Retention
* Added validation to check that the input soil groups raster has an
integer data type
* Urban Cooling
* Updated the text for the ``building_intensity`` column in the biophysical
table to clarify that the values of this column should be normalized
relative to one another to be between 0 and 1.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.8

CVSS v2 Details

MEDIUM 6.8
Access Vector (AV)
NETWORK
Access Complexity (AC)
MEDIUM
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
PARTIAL
Availability Impact (A)
PARTIAL