DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-34062

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-34062

CGA ID

CGA-w4cf-89f6-mqm2

Severity

3.9

Low

CVSS V3

Summary

tqdm CLI arguments injection attack

Description

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in tqdm>=4.66.3

Workarounds

None

References

References

Affected packages


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images