CVE-2023-6597UNIX Symbolic Link (Symlink) Following in Software Foundation Cpython

CWE-61UNIX Symbolic Link (Symlink) Following10 documents9 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 76.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedMar 19
Latest updateOct 15

Description

An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 1.4 | Impact: 5.8

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.9.03.9.19+5

🔴Vulnerability Details

4
GHSA
GHSA-797f-63wg-8chv: An issue was found in the CPython `tempfile2024-03-19
OSV
CVE-2023-6597: An issue was found in the CPython `tempfile2024-03-19
CVEList
CVE-2023-6597: An issue was found in the CPython `tempfile2024-03-19
OSV
CVE-2023-6597: An issue was found in the CPython `tempfile2024-03-19

📋Vendor Advisories

5
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (Python) — CVE-2023-65972024-10-15
Ubuntu
Python vulnerabilities2024-07-11
Red Hat
python: Path traversal on tempfile.TemporaryDirectory2024-03-19
Microsoft
An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1 3.11.7 3.10.13 3.9.18 and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference sym2024-03-12
Debian
CVE-2023-6597: pypy3 - An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting ...2023
CVE-2023-6597 — UNIX Symbolic Link (Symlink) Following | cvebase