VDB
CVE-2022-35861
CVE-2022-35861
PUBLISHED
CVSS 7.800000190734863 HIGH
pyenv 1.2.24 through 2.3.2 allows local users to gain privileges via a .python-version file in the current working directory. An attacker can craft a Python version string in .python-version to execute shims under their control. (Shims are executables that pass a command along to a specific version of pyenv. The version string is used to construct the path to the command, and there is no validation of whether the version specified is a valid version. Thus, relative path traversal can occur.)
EPSS 0.04% · 14.0th percentile
Risk Scores
CVSS 3.1
7.800000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.04%
14.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| pyenv | pyenv | 1.2.24 |
Exploit Intelligence
Timeline
- Jul 17, 2022 CVE Published
- Jul 18, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 20, 2022 EPSS Score
- Dec 6, 2022 EPSS Score
- Jan 22, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 10, 2023 EPSS Score
- Apr 26, 2023 EPSS Score
- Jun 12, 2023 EPSS Score
- Jul 29, 2023 EPSS Score
- Sep 14, 2023 EPSS Score