CVE-2023-49797

Name of the Vulnerable Software and Affected Versions PyInstaller versions prior to 5.13.1

Description A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. This can occur if the user runs an application containing either matplotlib or win32com, the application is run as administrator, and the user's temporary directory is not locked to that specific user. The attacker must either carefully time the replacement of a temporary file with a symlink between shutil.rmtree()'s builtin symlink check and the deletion itself, or the application was built with Python 3.7.x or earlier, which has no protection against Directory Junctions links.

Recommendations For PyInstaller versions prior to 5.13.1, upgrade to pyinstaller >= 5.13.1 to address the vulnerability. As a temporary workaround, consider building the application with Python >= 3.8.0 to increase the attack complexity. Restrict access to the temporary directory by locking it to the specific user and avoid using TMP/TEMP environment variables that point to an unprotected location. Avoid using the shutil.rmtree() function with untrusted input until the issue is resolved.