CVE-2022-21699: Execution with Unnecessary Privileges in ipython
First published: Wed Jan 19 2022(Updated: )
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ipython Ipython | <=5.10.0 | |
| Ipython Ipython | >=6.0.0<7.16.3 | |
| Ipython Ipython | >=7.17.0<7.31.1 | |
| Ipython Ipython | >=8.0.0<8.0.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| pip/ipython | >=8.0.0<8.0.1 | 8.0.1 |
| pip/ipython | >=7.17.0<7.31.1 | 7.31.1 |
| pip/ipython | >=6.0.0<7.16.3 | 7.16.3 |
| pip/ipython | <5.11 | 5.11 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668
- https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
- https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699
- https://lists.debian.org/debian-lts-announce/2022/01/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK/
- https://nvd.nist.gov/vuln/detail/CVE-2022-21699
- https://github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2022-12.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK
- https://github.com/ipython/ipython/commit/5fa1e409d2dc126c456510c16ece18e08b524e5b
- https://github.com/ipython/ipython/commit/67ca2b3aa9039438e6f80e3fccca556f26100b4d
- https://github.com/ipython/ipython/commit/a06ca837273271b4acb82c29be97c0b6d12a30ea
- https://github.com/advisories/GHSA-pq7m-3gw7-gq5x (Advisory)
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Frequently Asked Questions
What is CVE-2022-21699?
CVE-2022-21699 is an arbitrary code execution vulnerability in IPython.
Which versions of IPython are affected by CVE-2022-21699?
IPython versions up to 5.10.0, versions 6.0.0 to 7.16.3, versions 7.17.0 to 7.31.1, and versions 8.0.0 to 8.0.1 are affected.
How can I fix CVE-2022-21699?
Update IPython to a version that is not affected by the vulnerability.
What is the severity of CVE-2022-21699?
CVE-2022-21699 has a severity score of 8.8 (high).
Where can I find more information about CVE-2022-21699?
You can find more information about CVE-2022-21699 at the following references: [Reference 1](https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668), [Reference 2](https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x), [Reference 3](https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699).
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/weakness
- agent/title
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-pq7m-3gw7-gq5x
- alias/CVE-2022-21699
- agent/software-canonical-lookup
- agent/author
- collector/nvd-cve
- source/NVD
- agent/event
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/description
- agent/trending
- agent/tags
- agent/source
- vendor/ipython
- canonical/ipython ipython
- version/ipython ipython/5.10.0
- version/ipython ipython/6.0.0
- version/ipython ipython/7.17.0
- version/ipython ipython/8.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- package-manager/pip
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4