{"id":"GHSA-9w2p-rh8c-v9g5","summary":"Local Privilege Escalation in Windows","details":"### Impact\n\nA PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to.\n\nA user is affected if **all** the following are satisfied:\n\n* The user runs an application containing either `matplotlib` or `win32com`.\n* The application is ran as administrator (or at least a user with higher privileges than the attacker).\n* The user's temporary directory is not locked to that specific user (most likely due to `TMP`/`TEMP` environment variables pointing to an unprotected, arbitrary, non default location).\n* Either:\n  - The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between [`shutil.rmtree()`'s builtin symlink check](https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623) and the deletion itself\n  - The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links\n\n### Patches\n\nThe vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to `pyinstaller \u003e= 5.13.1`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nNo workaround, although the attack complexity becomes much higher if the application is built with Python \u003e= 3.8.0.","aliases":["CVE-2023-49797","PYSEC-2023-292"],"modified":"2024-11-22T20:33:42.273183Z","published":"2023-12-09T00:39:46Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-379","CWE-732"],"severity":"HIGH","nvd_published_at":"2023-12-09T01:15:07Z","github_reviewed_at":"2023-12-09T00:39:46Z"},"references":[{"type":"WEB","url":"https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49797"},{"type":"WEB","url":"https://github.com/pyinstaller/pyinstaller/pull/7827"},{"type":"PACKAGE","url":"https://github.com/pyinstaller/pyinstaller"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyinstaller/PYSEC-2023-292.yaml"},{"type":"WEB","url":"https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K2XIQLEMZIKUQUOWNDYWTEWYQTKMAN7"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRWT34FAF23PUOLVZ7RVWBZMWPDR5U7"}],"affected":[{"package":{"name":"pyinstaller","ecosystem":"PyPI","purl":"pkg:pypi/pyinstaller"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.13.1"}]}],"versions":["1.5","1.5.1","2.0","2.1","3.0","3.1","3.1.1","3.2","3.2.1","3.3","3.3.1","3.4","3.5","3.6","4.0","4.1","4.10","4.2","4.3","4.4","4.5","4.5.1","4.6","4.7","4.8","4.9","5.0","5.0.1","5.1","5.10.0","5.10.1","5.11.0","5.12.0","5.13.0","5.2","5.3","5.4","5.4.1","5.5","5.6","5.6.1","5.6.2","5.7.0","5.8.0","5.9.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-9w2p-rh8c-v9g5/GHSA-9w2p-rh8c-v9g5.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}