CVE-2023-24816

Name of the Vulnerable Software and Affected Versions IPython versions prior to 8.10.0

Description The issue exists due to the lack of neutralization of special elements used in the operating system command. Exploitation of this issue may allow an attacker to execute arbitrary commands by providing specially crafted data to the application. This vulnerability requires the IPython.utils.terminal.set term title function to be called on Windows in a Python environment where ctypes is not available. The vulnerability can be exploited if an attacker can control directory names and manage to get a user to change into this directory, then the attacker can execute arbitrary commands contained in the folder names.

Recommendations For versions prior to 8.10.0, users are advised to upgrade to version 8.10.0 or later. For users unable to upgrade, ensure that any calls to the IPython.utils.terminal.set term title function are done with trusted or filtered input. As a temporary workaround, consider restricting access to the set term title function until a patch is available.