<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Data-Science - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/data-science/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 14:42:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/data-science/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cornac Tar Slip Vulnerability Allows Arbitrary File Writes via Path Traversal (CVE-2026-43637)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cornac-tar-slip-cve-2026-43637/</link><pubDate>Wed, 15 Jul 2026 14:42:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cornac-tar-slip-cve-2026-43637/</guid><description>A path traversal vulnerability, dubbed 'Tar Slip' and tracked as CVE-2026-43637, exists in Cornac versions prior to 2.6.0, allowing attackers to write arbitrary files outside the intended cache directory by supplying a specially crafted TAR archive containing path manipulation sequences, which is then processed by built-in dataset loaders.</description><content:encoded><![CDATA[<p>CVE-2026-43637 details a critical path traversal vulnerability, also known as 'Tar Slip', affecting Cornac versions prior to 2.6.0. Attackers can exploit this by crafting a malicious TAR archive that includes path manipulation sequences such as <code>../</code> (dot-dot-slash), absolute paths, or symbolic/hard links. When Cornac's built-in dataset loaders automatically download and extract such an archive, the <code>_extract_archive()</code> function within <code>cornac/utils/download.py</code> invokes <code>archive.extractall()</code>, which fails to properly sanitize these paths. This flaw allows the attacker to write arbitrary files to locations on the filesystem accessible to the running Cornac process, bypassing the intended cache directory restrictions. The vulnerability has a CVSS v3.1 base score of 9.1, indicating a high severity risk due to the potential for significant system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker creates a malicious TAR archive containing files with path traversal sequences (e.g., <code>../../etc/evil.sh</code>, <code>/usr/local/bin/backdoor</code>).</li>
<li>The malicious TAR archive is distributed or made accessible to a system running a vulnerable version of Cornac.</li>
<li>A Cornac application, utilizing built-in dataset loaders, initiates a process to download and extract a dataset archive.</li>
<li>The malicious TAR archive is downloaded and supplied to Cornac's <code>_extract_archive()</code> function for processing.</li>
<li>The <code>archive.extractall()</code> method is invoked on the malicious archive without proper validation of file paths within the archive.</li>
<li>Due to the path traversal vulnerability, files from the archive are written by the Cornac process to arbitrary locations on the filesystem, outside the intended cache directory.</li>
<li>Successful exploitation can lead to overwriting critical system files, planting malicious executables, achieving persistence, or potentially leading to remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-43637 allows an attacker to perform arbitrary file writes on the host system, which can have severe consequences. Depending on the attacker's objectives and the privileges of the Cornac process, this can lead to system compromise, data corruption, privilege escalation, or even remote code execution. Overwriting or creating files in critical system directories could render the system inoperable, facilitate persistent access, or allow the execution of attacker-controlled code. The high CVSS score of 9.1 reflects the critical nature of this vulnerability, indicating potential for complete loss of confidentiality, integrity, and availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-43637 immediately by upgrading Cornac to version 2.6.0 or later on all affected systems.</li>
<li>Monitor process creation logs for unexpected file write operations, especially those originating from Cornac processes, to identify potential exploitation attempts.</li>
<li>Implement file integrity monitoring on critical system directories and executables to detect unauthorized modifications that could result from arbitrary file writes.</li>
<li>Restrict the permissions of user accounts running Cornac applications to the minimum necessary to limit the potential impact of file write vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>path-traversal</category><category>tar-slip</category><category>data-science</category><category>python</category></item></channel></rss>