CVE-2022-26488

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-26488
In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.

7.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.4 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://mail.python.org/archives/list/security-announce%40python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/
https://security.netapp.com/advisory/ntap-20220419-0005/ Third Party Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.11.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:python:python:3.11.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:python:python:3.11.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:python:python:3.11.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:python:python:3.11.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:python:python:3.11.0:alpha6:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
History

07 Nov 2023, 03:45

Type Values Removed Values Added
References
  • {'url': 'https://mail.python.org/archives/list/security-announce@python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/', 'name': 'https://mail.python.org/archives/list/security-announce@python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/', 'tags': ['Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • () https://mail.python.org/archives/list/security-announce%40python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/ -
Information

Published : 2022-03-10 17:47

Updated : 2024-02-28 19:09

NVD link : CVE-2022-26488

Mitre link : CVE-2022-26488

CVE.ORG link : CVE-2022-26488

JSON object : View

Products Affected

python

  • python

microsoft

  • windows

netapp

  • ontap_select_deploy_administration_utility
  • active_iq_unified_manager
CWE
CWE-426

Untrusted Search Path