CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
17.1%
On Windows a directory returned by tempfile.mkdtemp() would not always have
permissions set to restrict reading and writing to the temporary directory
by other users, instead usually inheriting the correct permissions from the
default location. Alternate configurations or users without a profile
directory may not have the intended permissions. If youβre not using
Windows or havenβt changed the temporary directory location then you arenβt
affected by this vulnerability. On other platforms the returned directory
is consistently readable and writable only by the current user. This issue
was caused by Python not supporting Unix permissions on Windows. The fix
adds support for Unix β700β for the mkdir function on Windows which is used
by mkdtemp() to ensure the newly created directory has the proper
permissions.
Author | Note |
---|---|
rodrigo-zaiden | only affects python in Windows |
github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e
github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d
launchpad.net/bugs/cve/CVE-2024-4030
mail.python.org/archives/list/[email protected]/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636/
nvd.nist.gov/vuln/detail/CVE-2024-4030
security-tracker.debian.org/tracker/CVE-2024-4030
www.cve.org/CVERecord?id=CVE-2024-4030