VDB

CVE-2022-35861

CVE-2022-35861 PUBLISHED CVSS 7.800000190734863 HIGH

pyenv 1.2.24 through 2.3.2 allows local users to gain privileges via a .python-version file in the current working directory. An attacker can craft a Python version string in .python-version to execute shims under their control. (Shims are executables that pass a command along to a specific version of pyenv. The version string is used to construct the path to the command, and there is no validation of whether the version specified is a valid version. Thus, relative path traversal can occur.)

EPSS 0.04% · 14.0th percentile

Risk Scores

CVSS 3.1
7.800000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.04%
14.0th percentile

Affected Products

VendorProductVersions
n/an/an/a
pyenvpyenv1.2.24

Timeline

  • Jul 17, 2022 CVE Published
  • Jul 18, 2022 EPSS Score
  • Sep 3, 2022 EPSS Score
  • Oct 20, 2022 EPSS Score
  • Dec 6, 2022 EPSS Score
  • Jan 22, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 10, 2023 EPSS Score
  • Apr 26, 2023 EPSS Score
  • Jun 12, 2023 EPSS Score
  • Jul 29, 2023 EPSS Score
  • Sep 14, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›