CVE-2024-4030

tempfile.mkdtemp() may be readable and writeable by all users on Windows

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions.

If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user.

This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions.

En Windows, un directorio devuelto por tempfile.mkdtemp() no siempre tendría permisos configurados para restringir la lectura y escritura en el directorio temporal por parte de otros usuarios, sino que normalmente heredaría los permisos correctos de la ubicación predeterminada. Es posible que las configuraciones alternativas o los usuarios sin un directorio de perfil no tengan los permisos previstos. Si no está utilizando Windows o no ha cambiado la ubicación del directorio temporal, esta vulnerabilidad no le afecta. En otras plataformas, el directorio devuelto solo el usuario actual puede leerlo y escribirlo constantemente. Este problema se debió a que Python no admite permisos de Unix en Windows. La solución agrega soporte para Unix “700” para la función mkdir en Windows que utiliza mkdtemp() para garantizar que el directorio recién creado tenga los permisos adecuados.

*Credits: Aobo Wang

CVSS Scores

CISAv3.1 7.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-22 CVE Reserved
2024-05-07 CVE Published
2024-06-14 EPSS Updated
2024-09-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-276: Incorrect Default Permissions

CAPEC

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

References (15)

URL	Tag	Source
https://github.com/python/cpython/issues/118486	Issue Tracking
https://security.netapp.com/advisory/ntap-20240705-0005

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/commit/35c799d79177b962ddace2fa068101465570a29a	2024-07-03
https://github.com/python/cpython/commit/5130731c9e779b97d00a24f54cdce73ce9975dfd	2024-07-03
https://github.com/python/cpython/commit/66f8bb76a15e64a1bb7688b177ed29e26230fdee	2024-07-03
https://github.com/python/cpython/commit/6d0850c4c8188035643586ab4d8ec2468abd699e	2024-07-03
https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e	2024-07-03
https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d	2024-07-03
https://github.com/python/cpython/commit/91e3669e01245185569d09e9e6e11641282971ee	2024-07-03
https://github.com/python/cpython/commit/94591dca510c796c7d40e9b4167ea56f2fdf28ca	2024-07-03
https://github.com/python/cpython/commit/c8f868dc52f98011d0f9b459b6487920bfb0ac4d	2024-07-03
https://github.com/python/cpython/commit/d86b49411753bf2c83291e3a14ae43fefded2f84	2024-07-03
https://github.com/python/cpython/commit/e1dfa978b1ad210d551385ad8073ec6154f53763	2024-07-03
https://github.com/python/cpython/commit/eb29e2f5905da93333d1ce78bc98b151e763ff46	2024-07-03

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636	2024-07-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				< 3.8.20 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.8.20"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.9.0 < 3.9.20 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.9.0 < 3.9.20"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.10.0 < 3.10.15 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.10.0 < 3.10.15"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.11.0 < 3.11.10 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.11.0 < 3.11.10"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.12.0 < 3.12.4 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.12.0 < 3.12.4"		en		Affected