CVE-2024-22194

Name of the Vulnerable Software and Affected Versions cdo-local-uuid version 0.4.0 case-utils versions 0.5.0 through 0.14.0

Description An information leakage vulnerability is present in the affected software. The vulnerability stems from a Python function, cdo local uuid.local uuid(), and its original implementation case utils.local uuid(). This function generates UUIDv5s using a deterministic pseudorandom number stream. Under certain conditions, a user's present working directory, as an absolute path, was incorporated into seed data for the local uuid() deterministic pseudorandom number stream, violating an expectation made in the documented purpose of the local uuid() function and leaking information about a calling user's environment.

Recommendations For cdo-local-uuid version 0.4.0, upgrade to version 0.5.0 or later. For case-utils versions 0.5.0 through 0.14.0, upgrade to version 0.15.0 or later. As a temporary workaround, consider moving the script calling cdo local uuid.local uuid() out of the "Top" source directory to address the issue.