CVE-2023-49797

{"id": "CVE-2023-49797", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2023-12-09T01:15:07.333", "references": [{"url": "https://github.com/pyinstaller/pyinstaller/pull/7827", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K2XIQLEMZIKUQUOWNDYWTEWYQTKMAN7/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRWT34FAF23PUOLVZ7RVWBZMWPDR5U7/", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-379"}, {"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "PyInstaller bundles a Python application and all its dependencies into a single package. A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if **all** the following are satisfied: 1. The user runs an application containing either `matplotlib` or `win32com`. 2. The application is ran as administrator (or at least a user with higher privileges than the attacker). 3. The user's temporary directory is not locked to that specific user (most likely due to `TMP`/`TEMP` environment variables pointing to an unprotected, arbitrary, non default location). Either: A. The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between `shutil.rmtree()`'s builtin symlink check and the deletion itself B: The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links. The vulnerability has been addressed in PR #7827 which corresponds to `pyinstaller >= 5.13.1`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "PyInstaller agrupa una aplicaci\u00f3n Python y todas sus dependencias en un solo paquete. Una aplicaci\u00f3n creada por PyInstaller, elevada como proceso privilegiado, puede ser enga\u00f1ada por un atacante sin privilegios para que elimine archivos a los que el usuario sin privilegios no tendr\u00eda acceso de otro modo. Un usuario se ve afectado si se cumplen **todos** los siguientes requisitos: 1. El usuario ejecuta una aplicaci\u00f3n que contiene `matplotlib` o `win32com`. 2. La aplicaci\u00f3n se ejecuta como administrador (o al menos como usuario con mayores privilegios que el atacante). 3. El directorio temporal del usuario no est\u00e1 bloqueado para ese usuario espec\u00edfico (muy probablemente debido a que las variables de entorno `TMP`/`TEMP` apuntan a una ubicaci\u00f3n desprotegida, arbitraria y no predeterminada). Ya sea: A. El atacante puede programar con mucho cuidado el reemplazo de un archivo temporal con un enlace simb\u00f3lico. Este cambio debe ocurrir exactamente entre la verificaci\u00f3n de enlace simb\u00f3lico incorporada de `shutil.rmtree()` y la eliminaci\u00f3n misma. B: La aplicaci\u00f3n fue creada con Python 3.7.x o anterior, que no tiene protecci\u00f3n contra enlaces de Directory Junctions. La vulnerabilidad se abord\u00f3 en el PR #7827 que corresponde a `pyinstaller >= 5.13.1`. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2023-12-19T04:15:07.343", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pyinstaller:pyinstaller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12311895-0D5B-4D34-8397-22258C6474DB", "versionEndExcluding": "5.13.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}