CVE-2024-34062

tqdm CLI arguments injection attack

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

tqdm es una barra de progreso de código abierto para Python y CLI. Cualquier argumento CLI opcional no booleano (por ejemplo, `--delim`, `--buf-size`, `--manpath`) se pasa a través del `eval` de Python, lo que permite la ejecución de código arbitrario. Este problema solo se puede explotar localmente y se solucionó en la versión 4.66.3. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

It was discovered that tqdm did not properly sanitize non-boolean CLI Arguments. A local attacker could possibly use this issue to execute arbitrary code on the host. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-30 CVE Reserved
2024-05-03 CVE Published
2024-06-11 EPSS Updated
2025-02-13 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (5)

URL	Tag	Source
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316	X_refsource_misc
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tqdm Search vendor "Tqdm"		Tqdm Search vendor "Tqdm" for product "Tqdm"				>= 4.4.0 < 4.66.3 Search vendor "Tqdm" for product "Tqdm" and version " >= 4.4.0 < 4.66.3"		en		Affected