CVE-2022-26488

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-26488
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26488.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-26488
Aliases
Downstream
Published
2022-03-10T17:47:45.383Z
Modified
2026-03-14T11:39:24.269611Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type
GIT
Repo
https://github.com/python/cpython
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1f97973f630fda109039b2a8c8024a70eb92932f
Introduced
fa919fdf2583bdfead1df00e842f24f30b2a34bf
Last affected
07119dd38c9a6e5da84ca8a0a46acdf8a3e60ecf
Introduced
9cf6752276e6fcfd0c23fdb064ad27f448aaaf75
Last affected
f2f3f537829ab0ef6948be5ee7f46b8ce8213ff2
Introduced
b494f5935c92951e75597bfe1c8b1f3112fec270
Last affected
a58ebcc701dd6c43630df941481475ff0f615a81
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.7.12"
        },
        {
            "introduced": "3.8.0"
        },
        {
            "last_affected": "3.8.12"
        },
        {
            "introduced": "3.9.0"
        },
        {
            "last_affected": "3.9.10"
        },
        {
            "introduced": "3.10.0"
        },
        {
            "last_affected": "3.10.2"
        }
    ]
}

Affected versions

v3.*
v3.10.0
v3.10.1
v3.10.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26488.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.11.0-alpha1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.11.0-alpha2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.11.0-alpha3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.11.0-alpha4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.11.0-alpha5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.11.0-alpha6"
            }
        ]
    }
]