pyinstaller is vulnerable to privilege escalation. When the library is used for Windows software in ‘onefile’ mode by a privileged user with default “TempPath” as C:\Windows\Temp
, the function _wmkdir()
does not enforce restricted permissions in Windows. The vulnerability is exploitable only after the software is (re)started after the attacker launch the exploit program.