GHSA-g7vv-2v7x-gj9p
- Source
- https://github.com/advisories/GHSA-g7vv-2v7x-gj9p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g7vv-2v7x-gj9p/GHSA-g7vv-2v7x-gj9p.json
- Aliases
-
- CVE-2024-34062
- Published
- 2024-05-03T19:33:28Z
- Modified
- 2024-05-03T19:56:54.031527Z
- Summary
- tqdm CLI arguments injection attack
- Details
-
Impact
Any optional non-boolean CLI arguments (e.g.
--delim,--buf-size,--manpath) are passed through python'seval, allowing arbitrary code execution. Example:python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""Patches
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in
tqdm>=4.66.3Workarounds
None
References
- https://github.com/tqdm/tqdm/releases/tag/v4.66.3
- References
Affected packages
PyPI / tqdm
Package
- Name
- tqdm
Affected versions
4.*
4.4.0
4.4.1
4.4.3
4.5.0
4.5.2
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.4
4.7.6
4.8.1
4.8.2
4.8.3
4.8.4
4.9.0
4.10.0
4.11.0
4.11.1
4.11.2
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.17.1
4.18.0
4.19.1
4.19.1.post1
4.19.2
4.19.4
4.19.5
4.19.6
4.19.7
4.19.8
4.19.9
4.20.0
4.21.0
4.22.0
4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.24.0
4.25.0
4.26.0
4.27.0
4.28.0
4.28.1
4.29.0
4.29.1
4.30.0
4.31.0
4.31.1
4.32.0
4.32.1
4.32.2
4.33.0
4.34.0
4.35.0
4.36.0
4.36.1
4.37.0
4.38.0
4.39.0
4.40.0
4.40.1
4.40.2
4.41.0
4.41.1
4.42.0
4.42.1
4.43.0
4.44.0
4.44.1
4.45.0
4.46.0
4.46.1
4.47.0
4.48.0
4.48.1
4.48.2
4.49.0
4.50.0
4.50.1
4.50.2
4.51.0
4.52.0
4.53.0
4.54.0
4.54.1
4.55.0
4.55.1
4.55.2
4.56.0
4.56.1
4.56.2
4.57.0
4.58.0
4.59.0
4.60.0
4.61.0
4.61.1
4.61.2
4.62.0
4.62.1
4.62.2
4.62.3
4.63.0
4.63.1
4.63.2
4.64.0
4.64.1
4.65.0
4.65.1
4.65.2
4.66.0
4.66.1
4.66.2