LOW 3.9
GHSA-g7vv-2v7x-gj9p
tqdm CLI arguments injection attack
상세
### Impact Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. Example:
```sh python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \"" ```
### Patches https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in `tqdm>=4.66.3`
### Workarounds None
### References - https://github.com/tqdm/tqdm/releases/tag/v4.66.3
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-34062 [ADVISORY]
- https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 [WEB]
- https://github.com/tqdm/tqdm [PACKAGE]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC [WEB]