DirectorySecurity Advisories
Sign In
Security Advisories

CGA-wprj-p696-fg4q

Published

Last updated

https://images.chainguard.dev/security/CGA-wprj-p696-fg4q
Package

py3-tqdm

Latest Update
Fixed
Fixed Version

4.66.4-r0

Aliases
  • CVE-2024-34062
  • GHSA-g7vv-2v7x-gj9p

Severity

3.9

Low

CVSS V3

Summary

tqdm CLI arguments injection attack

Description

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in tqdm>=4.66.3

Workarounds

None

References

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation