CVE-2024-34062

EUVD-2024-1621
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Debian logo
Debian Releases
Debian Product
Codename
tqdm
bookworm
no-dsa
bullseye
no-dsa
buster
postponed
forky
4.67.1-7
fixed
sid
4.67.1-7
fixed
trixie
4.67.1-5
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python-tqdm-bash-completion
suse enterprise desktop 15 SP5
4.66.4-150400.9.12.1
fixed
suse enterprise desktop 15 SP6
4.66.4-150400.9.12.1
fixed
suse enterprise desktop 15 SP7
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP4
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP5
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP6
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP7
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP4
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP5
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP6
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP7
4.66.4-150400.9.12.1
fixed
python311-tqdm
suse enterprise desktop 15 SP5
4.66.4-150400.9.12.1
fixed
suse enterprise desktop 15 SP6
4.66.4-150400.9.12.1
fixed
suse enterprise desktop 15 SP7
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP4
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP5
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP6
4.66.4-150400.9.12.1
fixed
suse enterprise sap 15 SP7
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP4
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP5
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP6
4.66.4-150400.9.12.1
fixed
suse enterprise server 15 SP7
4.66.4-150400.9.12.1
fixed
Common Weakness Enumeration
References
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/