Potential Security Risk in CPython's tempfile.TemporaryDirectory Class
CVE-2023-6597

7.8HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
19 March 2024

What is CVE-2023-6597?

A vulnerability exists in the tempfile.TemporaryDirectory class of CPython that can be exploited by privileged users. During the cleanup process, the class erroneously dereferences symbolic links, leading to potential modification of file permissions for files that are referenced by these links. This issue affects multiple versions of CPython, potentially exposing sensitive data or system files to unauthorized access under specific conditions. Users running software that relies on these versions are encouraged to apply patches to mitigate the risk.

Affected Version(s)

CPython 0 < 3.8.19

CPython 3.9.0 < 3.9.19

CPython 3.10.0 < 3.10.14

References

https://github.com/python/cpython/commit/81c16cd94ec38d61...
patch
https://github.com/python/cpython/commit/6ceb8aeda504b079...
patch
https://github.com/python/cpython/commit/5585334d772b253a...
patch

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-6597 : Potential Security Risk in CPython's tempfile.TemporaryDirectory Class