3.3 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:P/A:N
0.0004 Low
EPSS
Percentile
5.3%
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2
through 3.5, when exist_ok is set to true and multiple threads are used,
might allow local users to bypass intended file permissions by leveraging a
separate application vulnerability before the umask has been set to the
expected value.
Author | Note |
---|---|
seth-arnold | The upstream patch uses umask(0022) instead of umask(0) – which seems as bad as the original behaviour. We should see if there is an updated patch when we prepare our packages that replaces the bad code. |
mdeslaur | introduced by the fix for http://bugs.python.org/issue9299 upstream commited a better fix than the proposed one in the bug but it now changes behavour |