CVE-2022-26488

Name of the Vulnerable Software and Affected Versions Python versions prior to 3.10.3 Python versions 3.7.x through 3.7.12 Python versions 3.8.x through 3.8.12 Python versions 3.9.x through 3.9.10 Python versions 3.10.x through 3.10.2

Description The issue is related to the inadequate security of the search path in Python, allowing local users to gain privileges. The installer may permit a local attacker to add user-writable directories to the system search path. To exploit this, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services.

Recommendations For Python versions prior to 3.10.3, update to version 3.10.3 or later to resolve the issue. For Python versions 3.7.x through 3.7.12, update to version 3.7.13 or later to resolve the issue. For Python versions 3.8.x through 3.8.12, update to version 3.8.13 or later to resolve the issue. For Python versions 3.9.x through 3.9.10, update to version 3.9.11 or later to resolve the issue. For Python versions 3.10.x through 3.10.2, update to version 3.10.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the system search path to minimize the risk of exploitation.