CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-4030 – tempfile.mkdtemp() may be readable and writeable by all users on Windows
https://notcve.org/view.php?id=CVE-2024-4030
07 May 2024 — On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned direct... • https://github.com/python/cpython/commit/35c799d79177b962ddace2fa068101465570a29a • CWE-276: Incorrect Default Permissions •
CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 0CVE-2024-0450 – Quoted zip-bomb protection for zipfile
https://notcve.org/view.php?id=CVE-2024-0450
19 Mar 2024 — An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. Se encontró un problema en el módulo `zipfile` de CPython que afecta a las versiones 3.12.2, 3.11.8, 3.10.13, 3.9.18 y 3.8.18 y an... • http://www.openwall.com/lists/oss-security/2024/03/20/5 • CWE-405: Asymmetric Resource Consumption (Amplification) CWE-450: Multiple Interpretations of UI Input •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6597 – python: Path traversal on tempfile.TemporaryDirectory
https://notcve.org/view.php?id=CVE-2023-6597
06 Mar 2024 — An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. Se encontró un problema en la clase CPython `tempfile.TemporaryDirectory` que afecta a las versiones 3.12.2,... • http://www.openwall.com/lists/oss-security/2024/03/20/5 • CWE-61: UNIX Symbolic Link (Symlink) Following •