Description

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.

Remediation

References

CVE-2008-5983

Related Vulnerabilities

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-33326)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-10242)

WordPress Plugin WP-AutoYoutube 'index.php' Script SQL Injection (0.1)

Jboss EAP Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vulnerability (CVE-2014-0226)

WordPress Plugin Jigoshop Multiple Unspecified Vulnerabilities (1.17.13)

Severity

Medium

Classification

CVE-2008-5983 CWE-426

Tags

Missing Update Known Vulnerabilities