GHSA-g7vv-2v7x-gj9p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g7vv-2v7x-gj9p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g7vv-2v7x-gj9p/GHSA-g7vv-2v7x-gj9p.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g7vv-2v7x-gj9p
- Aliases
- Related
- Published
- 2024-05-03T19:33:28Z
- Modified
- 2024-09-11T06:13:04.713096Z
- Severity
-
- 3.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- tqdm CLI arguments injection attack
- Details
-
Impact
Any optional non-boolean CLI arguments (e.g.
--delim,--buf-size,--manpath) are passed through python'seval, allowing arbitrary code execution. Example:python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""Patches
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in
tqdm>=4.66.3Workarounds
None
References
- https://github.com/tqdm/tqdm/releases/tag/v4.66.3
- Database specific
{ "severity": "LOW", "nvd_published_at": "2024-05-03T10:15:08Z", "github_reviewed_at": "2024-05-03T19:33:28Z", "github_reviewed": true, "cwe_ids": [ "CWE-74" ] }- References
-
- https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
- https://nvd.nist.gov/vuln/detail/CVE-2024-34062
- https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
- https://github.com/tqdm/tqdm
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC
Affected packages
PyPI / tqdm
Package
- Name
- tqdm
- View open source insights on deps.dev
- Purl
- pkg:pypi/tqdm
Affected versions
4.*
4.4.0
4.4.1
4.4.3
4.5.0
4.5.2
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.4
4.7.6
4.8.1
4.8.2
4.8.3
4.8.4
4.9.0
4.10.0
4.11.0
4.11.1
4.11.2
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.17.1
4.18.0
4.19.1
4.19.1.post1
4.19.2
4.19.4
4.19.5
4.19.6
4.19.7
4.19.8
4.19.9
4.20.0
4.21.0
4.22.0
4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.24.0
4.25.0
4.26.0
4.27.0
4.28.0
4.28.1
4.29.0
4.29.1
4.30.0
4.31.0
4.31.1
4.32.0
4.32.1
4.32.2
4.33.0
4.34.0
4.35.0
4.36.0
4.36.1
4.37.0
4.38.0
4.39.0
4.40.0
4.40.1
4.40.2
4.41.0
4.41.1
4.42.0
4.42.1
4.43.0
4.44.0
4.44.1
4.45.0
4.46.0
4.46.1
4.47.0
4.48.0
4.48.1
4.48.2
4.49.0
4.50.0
4.50.1
4.50.2
4.51.0
4.52.0
4.53.0
4.54.0
4.54.1
4.55.0
4.55.1
4.55.2
4.56.0
4.56.1
4.56.2
4.57.0
4.58.0
4.59.0
4.60.0
4.61.0
4.61.1
4.61.2
4.62.0
4.62.1
4.62.2
4.62.3
4.63.0
4.63.1
4.63.2
4.64.0
4.64.1
4.65.0
4.65.1
4.65.2
4.66.0
4.66.1
4.66.2