4.8 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Any optional non-boolean CLI arguments (e.g. --delim
, --buf-size
, --manpath
) are passed through python’s eval
, allowing arbitrary code execution. Example:
python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in tqdm>=4.66.3
None
github.com/tqdm/tqdm
github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
lists.fedoraproject.org/archives/list/[email protected]/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6
lists.fedoraproject.org/archives/list/[email protected]/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6
lists.fedoraproject.org/archives/list/[email protected]/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC
nvd.nist.gov/vuln/detail/CVE-2024-34062
4.8 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%