← Back

CVE-2022-26488

nvd nist
Published: Mar 10, 2022Modified: Nov 21, 2024

JSON object

Loading...
7.0
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.0 / Impact: 5.9
Source: NVD

Description

In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.

Affected (12)

Python
1 product
Python
Netapp
2 products
Active Iq Unified Manager
Ontap Select Deploy Administration Utility
Configuration A
10 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Python
Python
Up to 3.7.12
Python
From 3.10.0 to 3.10.2
Python
From 3.8.0 to 3.8.12
Python
From 3.9.0 to 3.9.10
Python
Version 3.11.0 alpha1
Python
Version 3.11.0 alpha2
Python
Version 3.11.0 alpha3
Python
Version 3.11.0 alpha4
Python
Version 3.11.0 alpha5
Python
Version 3.11.0 alpha6
Running on/withPlatform Versions
Microsoft
Windows
All versions
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Active Iq Unified Manager
All versions
Ontap Select Deploy Administration Utility
All versions

Related CWEs

CWE-426
Untrusted Search Path
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

References (4)

Source: cve@mitre.org
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.