4.8 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.8%
tqdm is vulnerable to Code Injection. The vulnerability is due to the handling of optional non-boolean CLI arguments such as --delim
, --buf-size
, --manpath
which get passed through python’s eval function without proper sanitization. An attacker can execute arbitrary code by injecting malicious input into these arguments.
github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
lists.fedoraproject.org/archives/list/[email protected]/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/
lists.fedoraproject.org/archives/list/[email protected]/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
lists.fedoraproject.org/archives/list/[email protected]/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/
4.8 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.8%