// For flags

CVE-2008-5983

python: untrusted python modules search path

Severity Score

6.9
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.

Una vulnerabilidad de ruta de búsqueda no confiable en la función API PySys_SetArgv en Python versión 2.6 y anteriores, y posiblemente versiones posteriores, antepone una cadena vacía al archivo sys.path cuando el argumento argv [0] no contiene un separador de ruta, lo que podría permitir a los usuarios locales ejecutar código arbitrario por medio de un archivo Python de tipo caballo de Troya en el directorio de trabajo actual.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Local
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-01-27 CVE Reserved
  • 2009-01-28 CVE Published
  • 2023-11-08 EPSS Updated
  • 2024-08-07 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-426: Untrusted Search Path
CAPEC
References (22)
URL Tag Source
http://secunia.com/advisories/34522 Not Applicable
http://secunia.com/advisories/40194 Not Applicable
http://secunia.com/advisories/42888 Not Applicable
http://secunia.com/advisories/50858 Not Applicable
http://secunia.com/advisories/51024 Not Applicable
http://secunia.com/advisories/51040 Not Applicable
http://secunia.com/advisories/51087 Not Applicable
http://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg586010.html Mailing List
http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html Broken Link
http://www.openwall.com/lists/oss-security/2009/01/26/2 Mailing List
http://www.openwall.com/lists/oss-security/2009/01/28/5 Mailing List
http://www.openwall.com/lists/oss-security/2009/01/30/2 Mailing List
URL Date SRC
URL Date SRC
URL Date SRC
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042751.html 2023-11-07
http://security.gentoo.org/glsa/glsa-200903-41.xml 2023-11-07
http://security.gentoo.org/glsa/glsa-200904-06.xml 2023-11-07
http://www.redhat.com/support/errata/RHSA-2011-0027.html 2023-11-07
http://www.ubuntu.com/usn/USN-1596-1 2023-11-07
http://www.ubuntu.com/usn/USN-1613-1 2023-11-07
http://www.ubuntu.com/usn/USN-1613-2 2023-11-07
http://www.ubuntu.com/usn/USN-1616-1 2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=482814 2011-01-13
https://access.redhat.com/security/cve/CVE-2008-5983 2011-01-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Python
Search vendor "Python"
 Python
Search vendor "Python" for product "Python"
 < 2.6.6
Search vendor "Python" for product "Python" and version " < 2.6.6"
-
Affected
Python
Search vendor "Python"
 Python
Search vendor "Python" for product "Python"
 >= 3.1.0 < 3.1.3
Search vendor "Python" for product "Python" and version " >= 3.1.0 < 3.1.3"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 13
Search vendor "Fedoraproject" for product "Fedora" and version "13"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 8.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 10.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "10.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 11.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "11.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 11.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "11.10"
-
Affected