High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2023-6597
HighVulnerability Description
An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
2024-Sep-CVE-2023-6597
CVE-2023-6597: None
2024-Mar-CVE-2023-6597
CVE-2023-6597: An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1 3.11.7 3.10.13 3.9.18 and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
References & Resources
-
http://www.openwall.com/lists/oss-security/2024/03/20/5cna@python.org
-
https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3acna@python.org
-
https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25cna@python.org
-
https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5cna@python.org
-
https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524dcna@python.org
-
https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82cna@python.org
-
https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083bcna@python.org
-
https://github.com/python/cpython/issues/91133cna@python.org
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.htmlcna@python.org
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/cna@python.org
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/cna@python.org
-
https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/cna@python.org
-
http://www.openwall.com/lists/oss-security/2024/03/20/5af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3aaf854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524daf854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083baf854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/issues/91133af854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2024/11/msg00005.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/af854a3a-2127-422b-91ae-364da2661108
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/af854a3a-2127-422b-91ae-364da2661108
-
https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/af854a3a-2127-422b-91ae-364da2661108
Severity Details
Key Information
- Published Date
- March 19, 2024
