CVE-2016-10075 - The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary cod

CVE-2016-10075

Summary

The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.

References

http://www.openwall.com/lists/oss-security/2016/12/28/8
http://www.securityfocus.com/bid/95143
https://github.com/tqdm/tqdm/issues/328
https://security.gentoo.org/glsa/201807-01

Vulnerable Configurations

cpe:2.3:a:tqdm_project:tqdm:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:tqdm_project:tqdm:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:tqdm_project:tqdm:4.10:*:*:*:*:*:*:*
cpe:2.3:a:tqdm_project:tqdm:4.10:*:*:*:*:*:*:*

CVSS

Base:	4.6 (as of 21-10-2018 - 10:29)
Impact:
Exploitability:

CWE

CWE-17

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	95143
gentoo	GLSA-201807-01
misc	https://github.com/tqdm/tqdm/issues/328
mlist	[oss-security] 20161228 Re: tqdm: insecure use of git

Last major update

21-10-2018 - 10:29

Published

19-01-2017 - 20:59

Last modified

21-10-2018 - 10:29