CVE-2024-34062 - OpenCVE

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-03T09:55:26.119Z

Updated: 2024-06-17T18:59:40.062Z

Reserved: 2024-04-30T06:56:33.380Z

Link: CVE-2024-34062

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-05-03T10:15:08.500

Modified: 2024-06-10T17:16:28.360

Link: CVE-2024-34062

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-34062", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-30T06:56:33.380Z", "datePublished": "2024-05-03T09:55:26.119Z", "dateUpdated": "2024-06-17T18:59:40.062Z"}, "containers": {"cna": {"title": "tqdm CLI arguments injection attack", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p"}, {"name": "https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316", "tags": ["x_refsource_MISC"], "url": "https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/"}], "affected": [{"vendor": "tqdm", "product": "tqdm", "versions": [{"version": ">= 4.4.0, < 4.66.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-03T09:55:26.119Z"}, "descriptions": [{"lang": "en", "value": "tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-g7vv-2v7x-gj9p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-17T18:59:26.047390Z", "id": "CVE-2024-34062", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T18:59:40.062Z"}}]}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "tqdm es una barra de progreso de c\u00f3digo abierto para Python y CLI. Cualquier argumento CLI opcional no booleano (por ejemplo, `--delim`, `--buf-size`, `--manpath`) se pasa a trav\u00e9s del `eval` de Python, lo que permite la ejecuci\u00f3n de c\u00f3digo arbitrario. Este problema solo se puede explotar localmente y se solucion\u00f3 en la versi\u00f3n 4.66.3. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-34062", "lastModified": "2024-06-10T17:16:28.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-03T10:15:08.500", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316"}, {"source": "security-advisories@github.com", "url": "https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}