CVE-2023-49797

HIGH8.8EPSS 0.05%

Local Privilege Escalation in Windows

發布日:2023/12/9修改日:2024/11/22
也稱為:GHSA-9w2p-rh8c-v9g5PYSEC-2023-292

描述

### Impact A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if **all** the following are satisfied: * The user runs an application containing either `matplotlib` or `win32com`. * The application is ran as administrator (or at least a user with higher privileges than the attacker). * The user's temporary directory is not locked to that specific user (most likely due to `TMP`/`TEMP` environment variables pointing to an unprotected, arbitrary, non default location). * Either: - The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between [`shutil.rmtree()`'s builtin symlink check](https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623) and the deletion itself - The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links ### Patches The vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to `pyinstaller >= 5.13.1` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No workaround, although the attack complexity becomes much higher if the application is built with Python >= 3.8.0.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

參考連結(10)