CVE-2024-34062

Name
CVE-2024-34062
Description
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
CONFIRM https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/

Match rules

CPE URI Source package Min version Max version
tqdm >= 4.4.0 < 4.66.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-tqdm edge-community 4.66.4-r0 Celeste <cielesti@protonmail.com> fixed
py3-tqdm 3.22-community 4.66.4-r0 None fixed
py3-tqdm 3.21-community 4.66.4-r0 None fixed
py3-tqdm 3.20-community 4.66.4-r0 Celeste <cielesti@protonmail.com> fixed