CVE-2008-5983

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.

References

http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042751.html

http://secunia.com/advisories/34522

http://secunia.com/advisories/40194

http://secunia.com/advisories/42888

http://secunia.com/advisories/50858

http://secunia.com/advisories/51024

http://secunia.com/advisories/51040

http://secunia.com/advisories/51087

http://security.gentoo.org/glsa/glsa-200903-41.xml

http://security.gentoo.org/glsa/glsa-200904-06.xml

http://www.mail-archive.com/[email protected]/msg586010.html

http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html

http://www.openwall.com/lists/oss-security/2009/01/26/2

http://www.openwall.com/lists/oss-security/2009/01/28/5

http://www.openwall.com/lists/oss-security/2009/01/30/2

http://www.redhat.com/support/errata/RHSA-2011-0027.html

http://www.ubuntu.com/usn/USN-1596-1

http://www.ubuntu.com/usn/USN-1613-1

http://www.ubuntu.com/usn/USN-1613-2

http://www.ubuntu.com/usn/USN-1616-1

http://www.vupen.com/english/advisories/2010/1448

http://www.vupen.com/english/advisories/2011/0122

https://bugzilla.redhat.com/show_bug.cgi?id=482814

Details

Source: MITRE

Published: 2009-01-28

Updated: 2013-05-15

Risk Information

CVSS v2

Base Score: 6.9

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.4

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python_software_foundation:python:1.5.2:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:1.6:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:1.6.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.0:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.1.2:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.1.3:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.2:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.2.3:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3.2:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3.3:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3.4:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3.5:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3.6:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.3.7:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.4:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.4.3:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.4.4:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.4.5:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.4.6:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.5:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.5.1:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.5.2:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:2.5.4:*:*:*:*:*:*:*

cpe:2.3:a:python_software_foundation:python:*:*:*:*:*:*:*:* versions up to 2.6.0 (inclusive)

Tenable Plugins

View all (14 total)

IDNameProductFamilySeverity
127154NewStart CGSL MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0008)NessusNewStart CGSL Local Security Checks
high
62700Ubuntu 10.04 LTS / 11.04 : python3.1 vulnerabilities (USN-1616-1)NessusUbuntu Local Security Checks
medium
62620Ubuntu 8.04 LTS : python2.4 vulnerabilities (USN-1613-2)NessusUbuntu Local Security Checks
medium
62619Ubuntu 8.04 LTS : python2.5 vulnerabilities (USN-1613-1)NessusUbuntu Local Security Checks
medium
62436Ubuntu 10.04 LTS / 11.04 / 11.10 : python2.6 vulnerabilities (USN-1596-1)NessusUbuntu Local Security Checks
medium
60935Scientific Linux Security Update : python on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
51524RHEL 5 : python (RHSA-2011:0027)NessusRed Hat Local Security Checks
high
49107Fedora 13 : python3-3.1.2-7.fc13 (2010-13388)NessusFedora Local Security Checks
medium
47600Fedora 12 : python-2.6.2-8.fc12 (2010-9565)NessusFedora Local Security Checks
medium
47547Fedora 13 : python-2.6.4-27.fc13 (2010-9652)NessusFedora Local Security Checks
medium
36094GLSA-200904-06 : Eye of GNOME: Untrusted search pathNessusGentoo Local Security Checks
medium
36055GLSA-200903-41 : gedit: Untrusted search pathNessusGentoo Local Security Checks
medium
35910FreeBSD : epiphany -- untrusted search path vulnerability (e848a92f-0e7d-11de-92de-000bcdc1757a)NessusFreeBSD Local Security Checks
medium
35596Fedora 9 : gnumeric-1.8.2-4.fc9 (2009-1295)NessusFedora Local Security Checks
medium