Unstructured Library Path Traversal Vulnerability in MSG File Processing Allows Arbitrary File Write

A path traversal vulnerability has been identified in the Unstructured library, specifically in versions through 0.18.17. The issue arises in the 'partition_msg' function, where the library processes MSG files with attachments. The vulnerability allows an attacker to craft a malicious MSG file with attachment filenames that include path traversal sequences. When these files are processed with the 'process_attachments' option enabled, the library writes the attachments to arbitrary locations on the filesystem, potentially overwriting important files or executing malicious code.

Impact

Exploitation of this vulnerability could lead to arbitrary file overwrites, with the potential for remote code execution by overwriting configuration files, cron jobs, or Python packages. Additionally, it could cause data corruption or a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a malicious MSG file that includes attachment filenames with path traversal sequences, such as '../../../etc/cron.d/malicious'. When this file is processed with 'process_attachments=True', the library will write the attachment to the specified path, overwriting any existing file.

Remediation

Users can update to version 0.18.18 or later, where this vulnerability has been patched. If an immediate update is not possible, the 'process_attachments' option can be set to 'False' when handling untrusted MSG files, or additional filename validation can be implemented before processing.