Описание
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
A flaw was found in python-tqdm. When processing non-boolean command line arguments, python-tqdm uses python's eval function but fails to properly sanitize the input provided by the user. This flaw allows an attacker to trick a user into running python-tqdm with crafted command line arguments, resulting in local code execution.
Отчет
This flaw can only be triggered when python-tqdm is used directly via the command line with crafted arguments for non-boolean parameters such as delim, buf-size, and manpath.
The rust-srpm-macros package as shipped by Red Hat Enterprise Linux 8 and 9 is not vulnerable to this issue because it does not use the affected python-tqdm functionality.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | rust-srpm-macros | Not affected | ||
| Red Hat Enterprise Linux 9 | rust-srpm-macros | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
tqdm is an open source progress bar for Python and CLI. Any optional n ...
7.3 High
CVSS3