GHSA-g7vv-2v7x-gj9p

Опубликовано: 03 мая 2024

Источник: github

Github: Прошло ревью

CVSS3: 3.9

Описание

tqdm CLI arguments injection attack

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in tqdm>=4.66.3

Workarounds

None

References

https://github.com/tqdm/tqdm/releases/tag/v4.66.3

Ссылки

Пакеты

Наименование

tqdm

pip

Затронутые версииВерсия исправления

>= 4.4.0, < 4.66.3

4.66.3

EPSS

Процентиль: 13%

0.00044

Низкий

3.9 Low

CVSS3

CVE ID

CVE-2024-34062

Дефекты

CWE-74

Связанные уязвимости

CVE-2024-34062

CVSS3: 4.8

ubuntu

около 1 года назад

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.