CVE-2023-49797 – pyinstaller
Package
Manager: pip
Name: pyinstaller
Vulnerable Version: >=0 <5.13.1
Severity
Level: High
CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS: 0.00069 pctl0.21613
Details
Local Privilege Escalation in Windows ### Impact A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if **all** the following are satisfied: * The user runs an application containing either `matplotlib` or `win32com`. * The application is ran as administrator (or at least a user with higher privileges than the attacker). * The user's temporary directory is not locked to that specific user (most likely due to `TMP`/`TEMP` environment variables pointing to an unprotected, arbitrary, non default location). * Either: - The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between [`shutil.rmtree()`'s builtin symlink check](https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623) and the deletion itself - The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links ### Patches The vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to `pyinstaller >= 5.13.1` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No workaround, although the attack complexity becomes much higher if the application is built with Python >= 3.8.0.
Metadata
Created: 2023-12-09T00:39:46Z
Modified: 2024-11-22T20:21:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-9w2p-rh8c-v9g5/GHSA-9w2p-rh8c-v9g5.json
CWE IDs: ["CWE-379", "CWE-732"]
Alternative ID: GHSA-9w2p-rh8c-v9g5
Finding: F028
Auto approve: 1