GHSA-58PV-8J8X-9VJ2
CVE Details
Visit the official vulnerability details page for GHSA-58PV-8J8X-9VJ2 to learn more.
Initial Publication
01/14/2026
Last Update
01/22/2026
Third Party Dependency
jaraco.context
NIST CVE Summary
jaraco.context Has a Path Traversal Vulnerability
CVE Severity
Our Official Summary
GHSA-58pv-8j8x-9vj2 is a high-severity Zip Slip path traversal vulnerability in the Python jaraco.context package that also affects its use in setuptools. It stems from improper sanitization in the tarball() extraction logic, allowing crafted tar archives to write files outside the intended directory and potentially compromise systems. A fix was released in version 6.1.0 of the package.
This vulnerability is reported on setuptools 80.9.0 with vulnerable jaraco.context 5.3.0 from the python packages. However, setuptools 80.9.0 is currently the latest version available. Exploitation of this would require accessing the contain and invoking the tarball execution login with crafted input. Container has reasd only fileystem and needs authentication to access. Impact of exploit is also low, since it will limit access to the container file system.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.8.22 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 01/20/2026 | Status changed from Open to Ongoing |
| 01/20/2026 | Official summary added |