The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.
The partition_msg function processes files in MSG format (email messages) along with attachments. An attacker can craft a malicious MSG file containing an attachment with a properly constructed path (path traversal), which after processing by the library is written or overwritten in any location on the file system outside the intended target directory. The vulnerability is classified as CWE-22 (path traversal) and CWE-73 (external control of file name or path).
An attacker can write or overwrite arbitrary files on the file system of a server processing a malicious MSG file, which may lead to code execution, privilege escalation, or violation of system integrity and availability.
The Unstructured library should be updated to version 0.18.18 or later, where the issue has been fixed. Patch details are available in vendor references: https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d
Unstructured library (Unstructured-IO/unstructured) in versions prior to 0.18.18
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUnstructured
APPUnstructured< 0.18.18