Vulnerability Details : CVE-2022-21699
Potential exploit
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.
Products affected by CVE-2022-21699
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:a:ipython:ipython:*:*:*:*:*:*:*:*
- cpe:2.3:a:ipython:ipython:*:*:*:*:*:*:*:*
- cpe:2.3:a:ipython:ipython:*:*:*:*:*:*:*:*
- cpe:2.3:a:ipython:ipython:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21699
1.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21699
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
2.0
|
6.0
|
NIST | |
|
8.2
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
1.5
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2022-21699
-
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Assigned by: security-advisories@github.com (Primary)
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Secondary)
-
While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-21699
-
https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668
Merge pull request from GHSA-pq7m-3gw7-gq5x · ipython/ipython@46a51ed · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB/
[SECURITY] Fedora 35 Update: ipython-7.26.0-3.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/01/msg00021.html
[SECURITY] [DLA 2896-1] ipython security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK/
[SECURITY] Fedora 34 Update: ipython-7.20.0-2.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699
8.x Series — IPython 8.0.1 documentationRelease Notes;Third Party Advisory
-
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
Execution with Unnecessary Privileges in ipython · Advisory · ipython/ipython · GitHubExploit;Third Party Advisory
Jump to