CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34062 – tqdm CLI arguments injection attack
https://notcve.org/view.php?id=CVE-2024-34062
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. • https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-10075
https://notcve.org/view.php?id=CVE-2016-10075
The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory. El módulo tqdm._version en tqdm en versiones 4.4.1 y 4.10 permite a usuarios locales ejecutar código arbitrario a través de un repo manipulado con un registro git malicioso en el directorio de trabajo actual. • http://www.openwall.com/lists/oss-security/2016/12/28/8 http://www.securityfocus.com/bid/95143 https://github.com/tqdm/tqdm/issues/328 https://security.gentoo.org/glsa/201807-01 • CWE-17: DEPRECATED: Code •