CVE-2024-34062
tqdm CLI arguments injection attack
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
tqdm es una barra de progreso de código abierto para Python y CLI. Cualquier argumento CLI opcional no booleano (por ejemplo, `--delim`, `--buf-size`, `--manpath`) se pasa a través del `eval` de Python, lo que permite la ejecución de código arbitrario. Este problema solo se puede explotar localmente y se solucionó en la versión 4.66.3. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-04-30 CVE Reserved
- 2024-05-03 CVE Published
- 2024-06-11 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (5)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Tqdm Search vendor "Tqdm" | Tqdm Search vendor "Tqdm" for product "Tqdm" | >= 4.4.0 < 4.66.3 Search vendor "Tqdm" for product "Tqdm" and version " >= 4.4.0 < 4.66.3" | en |
Affected
| ||||||