Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2024-4030 |
CWE-ID | CWE-378 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software |
Python Universal components / Libraries / Scripting languages |
Vendor | Python.org |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU96944
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-4030
CWE-ID:
CWE-378 - Creation of Temporary File With Insecure Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users instead usually inheriting the correct permissions from the default location. A local user can gain access to potentially sensitive information stored in temporary files.
Successful exploitation of the vulnerability requires that an alternate configuration or users without a profile directory.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPython: 3.8 - 3.12.5
CPE2.3http://mail.python.org/archives/list/security-announce@python.org/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636/
http://github.com/python/cpython/issues/118486
http://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e
http://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d
http://github.com/python/cpython/commit/35c799d79177b962ddace2fa068101465570a29a
http://github.com/python/cpython/commit/5130731c9e779b97d00a24f54cdce73ce9975dfd
http://github.com/python/cpython/commit/66f8bb76a15e64a1bb7688b177ed29e26230fdee
http://github.com/python/cpython/commit/6d0850c4c8188035643586ab4d8ec2468abd699e
http://github.com/python/cpython/commit/91e3669e01245185569d09e9e6e11641282971ee
http://github.com/python/cpython/commit/94591dca510c796c7d40e9b4167ea56f2fdf28ca
http://github.com/python/cpython/commit/c8f868dc52f98011d0f9b459b6487920bfb0ac4d
http://github.com/python/cpython/commit/d86b49411753bf2c83291e3a14ae43fefded2f84
http://github.com/python/cpython/commit/e1dfa978b1ad210d551385ad8073ec6154f53763
http://github.com/python/cpython/commit/eb29e2f5905da93333d1ce78bc98b151e763ff46
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.