ipython is vulnerable to Command Injection. The vulnerability exists due to improper input sanitization in the _set_term_title
function of terminal.py
, which allows an attacker to inject maliciously crafted commands if the host is running Windows and ctypes is not available.
github.com/advisories/GHSA-29gw-9793-fvw7
github.com/Carreau/ipython/blob/7557ade0ed927475d5ab5b573d0ea4febfb22683/docs/source/whatsnew/version8.rst#ipython-810
github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.py#L103-L117
github.com/ipython/ipython/blob/56e6925dfa50e2c7f4a6471547b8176275db7c25/IPython/utils/_process_win32.py#L20
github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f
github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7