CVE-2022-26488 — Vulnetix

Try Vulnetix Request Demo

CVE-2022-26488 PUBLISHED

In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.

EPSS 1.67% · 82.0th percentile

Risk Scores

EPSS Score

1.67%

82.0th percentile

Affected Products

Vendor	Product	Versions
Bitnami	libpython	3.9.0, 3.8.0, 3.10.0
Bitnami	python-min	0, 3.10.0, 3.8.0
Bitnami	python	3.9.0, 3.8.0, 3.10.0
Bitnami	python-min	3.9.0, 0, 3.10.0
Bitnami	python	0, 3.10.0, 3.8.0
Bitnami	libpython	0, 3.10.0, 3.8.0

Timeline

Mar 7, 2022 CVE Published
Mar 8, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Aug 9, 2022 EPSS Score
Sep 29, 2022 EPSS Score
Nov 18, 2022 EPSS Score
Feb 28, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 20, 2023 EPSS Score
Jul 31, 2023 EPSS Score
Sep 20, 2023 EPSS Score
Nov 10, 2023 EPSS Score

References

Open in Interactive Console →