4.4 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
25.6%
dstat is a versatile system resource monitor written in Python.
Robert Buchholz of the Gentoo Security Team reported that dstat includes the current working directory and subdirectories in the Python module search path (sys.path) before calling βimportβ.
A local attacker could entice a user to run βdstatβ from a directory containing a specially crafted Python module, resulting in the execution of arbitrary code with the privileges of the user running the application.
Do not run βdstatβ from untrusted working directories.
All dstat users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/dstat-0.6.9-r1"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | sys-apps/dstat | <Β 0.6.9-r1 | UNKNOWN |