New submission from Steve Dower <steve.do...@python.org>:
CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython: * 3.11.0a6 and earlier * 3.10.2 and earlier * 3.9.10 and earlier * 3.8.12 and earlier * All end-of-life releases of 3.5, 3.6 and 3.7 The vulnerability exists when installed for all users, and when the "Add Python to PATH" option has been selected. A local user without administrative permissions can trigger a repair operation that adds incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege. Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected. Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team. ---------- assignee: steve.dower components: Windows messages: 414673 nosy: lukasz.langa, ned.deily, pablogsal, paul.moore, steve.dower, tim.golden, zach.ware priority: release blocker severity: normal stage: needs patch status: open title: [CVE-2022-26488] Escalation of privilege via Windows Installer type: security versions: Python 3.10, Python 3.11, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue46948> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
