GHSA-9w2p-rh8c-v9g5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9w2p-rh8c-v9g5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-9w2p-rh8c-v9g5/GHSA-9w2p-rh8c-v9g5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9w2p-rh8c-v9g5
- Aliases
-
- CVE-2023-49797
- PYSEC-2023-292
- Published
- 2023-12-09T00:39:46Z
- Modified
- 2024-11-22T20:43:40.132496Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Local Privilege Escalation in Windows
- Details
-
Impact
A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to.
A user is affected if all the following are satisfied:
- The user runs an application containing either
matplotliborwin32com. - The application is ran as administrator (or at least a user with higher privileges than the attacker).
- The user's temporary directory is not locked to that specific user (most likely due to
TMP/TEMPenvironment variables pointing to an unprotected, arbitrary, non default location). - Either:
- The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between
shutil.rmtree()'s builtin symlink check and the deletion itself - The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links
- The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between
Patches
The vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to
pyinstaller >= 5.13.1Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround, although the attack complexity becomes much higher if the application is built with Python >= 3.8.0.
- The user runs an application containing either
- Database specific
{ "nvd_published_at": "2023-12-09T01:15:07Z", "cwe_ids": [ "CWE-379", "CWE-732" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-12-09T00:39:46Z" }- References
-
- https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5
- https://nvd.nist.gov/vuln/detail/CVE-2023-49797
- https://github.com/pyinstaller/pyinstaller/pull/7827
- https://github.com/pyinstaller/pyinstaller
- https://github.com/pypa/advisory-database/tree/main/vulns/pyinstaller/PYSEC-2023-292.yaml
- https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K2XIQLEMZIKUQUOWNDYWTEWYQTKMAN7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRWT34FAF23PUOLVZ7RVWBZMWPDR5U7
Affected packages
PyPI / pyinstaller
Package
- Name
- pyinstaller
- View open source insights on deps.dev
- Purl
- pkg:pypi/pyinstaller