FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-34062

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: May 3, 2024 / Updated: 6mo ago

010
CVSS 4.8EPSS 0.04%Medium
CVE info copied to clipboard

Summary

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable.

Impact

A local attacker could execute arbitrary code on the system by passing malicious input to the tqdm CLI arguments. This could lead to data theft, system compromise or destructive actions depending on the privileges of the user running the code.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patched version 4.66.3 of tqdm has been released to address this vulnerability. All users are advised to upgrade to this patched version.

Mitigation

There are no known workarounds for this vulnerability. Users should upgrade to the patched 4.66.3 version as soon as possible to mitigate the risk of exploitation.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Timeline

First Article

Feedly found the first article mentioning CVE-2024-34062. See article

May 3, 2024 at 10:02 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

May 3, 2024 at 10:04 AM
CVE Assignment

NVD published the first details for CVE-2024-34062

May 3, 2024 at 10:15 AM
CVSS

A CVSS base score of 4.8 has been assigned.

May 3, 2024 at 10:20 AM / nvd
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-34062).

May 3, 2024 at 6:00 PM
Trending

This CVE started to trend in security discussions

May 3, 2024 at 6:55 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.3%)

May 4, 2024 at 9:42 AM
Trending

This CVE stopped trending in security discussions

May 5, 2024 at 2:25 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (197158)

May 16, 2024 at 7:16 AM
Static CVE Timeline Graph

Affected Systems

Tqdm_project/tqdm
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

[GHSA-g7vv-2v7x-gj9p] tqdm CLI arguments injection attack
GitHub Advisory Database / 6mo
Package Information Example: python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

News

Multiple vulnerabilities in IBM QRadar App SDK
Security feed from CyberSecurity Help / 19d
The vulnerability allows a remote attacker to gain access to potentially sensitive information. Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Multiple vulnerabilities in Splunk Add-on for Cisco Meraki
Security feed from CyberSecurity Help / 19d
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack. The vulnerability allows a remote attacker to gain access to potentially sensitive information.
SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024
Splunk Security Announcements / 20d
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in the Splunk Add-on for Cisco Meraki version 2.2.0 and higher, including the following: Upgrade Splunk Add-on for Cisco Meraki versions 2.2.0 or higher.
Security: Ausführen beliebiger Kommandos in python-tqdm (SUSE)
Pro-Linux / 3mo
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) This update for python-tqdm fixes the following issues:
Multiple vulnerabilities in IBM Security QRadar EDR
Security feed from CyberSecurity Help / 3mo
A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
See 25 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

CVSS 4.8(21798)CWE-74(1406)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial