6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
22.3%
Untrusted search path vulnerability in the PySys_SetArgv API function in
Python 2.6 and earlier, and possibly later versions, prepends an empty
string to sys.path when the argv[0] argument does not contain a path
separator, which might allow local users to execute arbitrary code via a
Trojan horse Python file in the current working directory.
Author | Note |
---|---|
jdstrand | upstream added new C API function, PySys_SetArgvEx, which can be used to set sys.argv without also modifying sys.path. The default behavior for PySys_SetArgv does not change. |
launchpad.net/bugs/cve/CVE-2008-5983
nvd.nist.gov/vuln/detail/CVE-2008-5983
security-tracker.debian.org/tracker/CVE-2008-5983
ubuntu.com/security/notices/USN-1596-1
ubuntu.com/security/notices/USN-1613-1
ubuntu.com/security/notices/USN-1613-2
ubuntu.com/security/notices/USN-1616-1
www.cve.org/CVERecord?id=CVE-2008-5983