Upstream information

CVE-2022-35861 at MITRE

Description

pyenv 1.2.24 through 2.3.2 allows local users to gain privileges via a .python-version file in the current working directory. An attacker can craft a Python version string in .python-version to execute shims under their control. (Shims are executables that pass a command along to a specific version of pyenv. The version string is used to construct the path to the command, and there is no validation of whether the version specified is a valid version. Thus, relative path traversal can occur.)

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.6
Vector AV:L/AC:L/Au:N/C:P/I:P/A:P
Access Vector Local
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 7.8
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1201582 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP4
  • pyenv >= 2.3.5-bp154.2.3.1
  • pyenv-bash-completion >= 2.3.5-bp154.2.3.1
  • pyenv-fish-completion >= 2.3.5-bp154.2.3.1
  • pyenv-zsh-completion >= 2.3.5-bp154.2.3.1
Patchnames:
openSUSE-2022-10183
openSUSE Leap 15.4
  • pyenv >= 2.3.5-bp154.2.3.1
  • pyenv-bash-completion >= 2.3.5-bp154.2.3.1
  • pyenv-fish-completion >= 2.3.5-bp154.2.3.1
  • pyenv-zsh-completion >= 2.3.5-bp154.2.3.1
Patchnames:
openSUSE-2022-10183
openSUSE Tumbleweed
  • pyenv >= 2.3.2-1.1
  • pyenv-bash-completion >= 2.3.2-1.1
  • pyenv-fish-completion >= 2.3.2-1.1
  • pyenv-zsh-completion >= 2.3.2-1.1
Patchnames:
openSUSE Tumbleweed GA pyenv-2.3.2-1.1


SUSE Timeline for this CVE

CVE page created: Sun Jul 17 22:00:02 2022
CVE page last modified: Sat Sep 30 17:01:44 2023