// For flags

CVE-2019-13404

 

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x

** EN DISPUTA ** El instalador de MSI para Python mediante la versión 2.7.16 en Windows utiliza por defecto el directorio C: \ Python27, lo que facilita que los usuarios locales implementen el código Trojan Horse. (Esto también afecta a las versiones anteriores de la versión 3.x anteriores a la 3.5). NOTA: la posición del proveedor es que es responsabilidad del usuario garantizar el control de acceso C: \ Python27 o elegir un directorio diferente, ya que la compatibilidad con versiones anteriores requiere que C: \ Python27 siga siendo el por defecto para 2.7.x.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-07-07 CVE Reserved
  • 2019-07-08 CVE Published
  • 2020-01-01 First Exploit
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-552: Files or Directories Accessible to External Parties
CAPEC
References (2)
URL Tag Source
URL Date SRC
https://github.com/alidnf/CVE-2019-13404 2020-01-01
URL Date SRC
URL Date SRC
https://docs.python.org/2/faq/windows.html 2024-05-17
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Python
Search vendor "Python"
 Python
Search vendor "Python" for product "Python"
 <= 2.7.16
Search vendor "Python" for product "Python" and version " <= 2.7.16"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Python
Search vendor "Python"
 Python
Search vendor "Python" for product "Python"
 >= 3.0.0 < 3.5.0
Search vendor "Python" for product "Python" and version " >= 3.0.0 < 3.5.0"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe