Lucene search

K
mageiaGentoo FoundationMGASA-2024-0299
HistorySep 13, 2024 - 8:15 p.m.

Updated python-tqdm package fixes security vulnerability

2024-09-1320:15:41
Gentoo Foundation
advisories.mageia.org
7
python-tqdm
security vulnerability
optional cli arguments
arbitrary code execution
unix

CVSS3

4.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

7.6

Confidence

Low

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python’s eval, allowing arbitrary code execution. This issue is only locally exploitable.

OSVersionArchitecturePackageVersionFilename
Mageia9noarchpython-tqdm< 4.64.1-2.1python-tqdm-4.64.1-2.1.mga9

CVSS3

4.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

7.6

Confidence

Low