Vulnerability Details : CVE-2022-26488
In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.
Vulnerability category: File inclusion
Products affected by CVE-2022-26488
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.11.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.11.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.11.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.11.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.11.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.11.0:alpha6:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-26488
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-26488
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
RedHat-CVE-2022-26488 | 2024-10-05 |
CWE ids for CVE-2022-26488
-
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-26488
-
https://mail.python.org/archives/list/security-announce@python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/
Mailman 3 [CVE-2022-26488] Escalation of privilege via Windows installer - Security-announce - python.orgPatch;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20220419-0005/
CVE-2022-26488 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
Jump to