Fluid Attacks Database

Description

Execution with Unnecessary Privileges in ipython We’d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another.

Proof of concept

User1:

mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py

User2:

cd /tmp
ipython

User2 will see:

Python 3.9.7 (default, Oct 25 2021, 01:04:21)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.
stealing your private secrets

Patched release and documentation

See https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699,

Version 8.0.1, 7.31.1 for current Python version are recommended. Version 7.16.3 has also been published for Python 3.6 users, Version 5.11 (source only, 5.x branch on github) for older Python versions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ipython	>=0 <5.11 \|\| >=6.0.0 <7.16.3 \|\| >=7.17.0 <7.31.1 \|\| >=8.0.0 <8.0.1	5.11, 7.16.3, 7.31.1, 8.0.1
debian 14	ipython	>=0 <7.31.1-1	7.31.1-1
debian 11	ipython	=7.20.0-1 \|\| >=0 <7.20.0-1+deb11u1	7.20.0-1+deb11u1
debian 12	ipython	>=0 <7.31.1-1	7.31.1-1
debian 13	ipython	>=0 <7.31.1-1	7.31.1-1

Aliases

1. CVE-2022-216992. NVD-2022-216993. OSV-2022-216994. OSV-DEBIAN-2022-216995. GHSA-pq7m-3gw7-gq5x6. GCVE-2022-216997. lists.debian.org8. SECURITY-TRACKER-CVE-2022-21699

References

1. https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x2. https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede56683. https://github.com/ipython/ipython/commit/5fa1e409d2dc126c456510c16ece18e08b524e5b4. https://github.com/ipython/ipython/commit/67ca2b3aa9039438e6f80e3fccca556f26100b4d5. https://github.com/ipython/ipython/commit/a06ca837273271b4acb82c29be97c0b6d12a30ea6. https://github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2022-12.yaml7. https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-216998. https://lists.fedoraproject.org/archives/list/[email protected]/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB9. https://lists.fedoraproject.org/archives/list/[email protected]/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.