What is the severity of CVE-2024-34062?

CVE-2024-34062 has a high severity rating due to the potential for arbitrary code execution via non-boolean CLI arguments.

How do I fix CVE-2024-34062?

To fix CVE-2024-34062, upgrade to tqdm version 4.66.3 or later.

Which software is affected by CVE-2024-34062?

CVE-2024-34062 affects versions of tqdm from 4.4.0 to 4.66.3, as well as specific versions of IBM Cloud Pak for Security and QRadar Suite Software.

Is there a workaround for CVE-2024-34062?

There are no known effective workarounds for CVE-2024-34062; the best solution is to upgrade to a secured version.

What type of vulnerability is CVE-2024-34062?

CVE-2024-34062 is classified as a code injection vulnerability, enabling arbitrary code execution through manipulated CLI arguments.

Vulnerability/
CVE-2024-34062

medium

4.8

CWE

EPSS

0.043%

3/5/2024

21/11/2024

CVE-2024-34062: tqdm CLI arguments injection attack

First published: Fri May 03 2024(Updated: )

### Impact Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. Example: ```sh python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \"" ``` ### Patches https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in `tqdm>=4.66.3` ### Workarounds None ### References - https://github.com/tqdm/tqdm/releases/tag/v4.66.3

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
pip/tqdm	>=4.4.0<4.66.3	4.66.3
IBM Cloud Pak for Security	<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software	<=1.10.12.0 - 1.10.22.0
debian/tqdm	<=4.57.0-2<=4.64.1-1	4.67.1-1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7159768

Frequently Asked Questions

What is the severity of CVE-2024-34062?
CVE-2024-34062 has a high severity rating due to the potential for arbitrary code execution via non-boolean CLI arguments.
How do I fix CVE-2024-34062?
To fix CVE-2024-34062, upgrade to tqdm version 4.66.3 or later.
Which software is affected by CVE-2024-34062?
CVE-2024-34062 affects versions of tqdm from 4.4.0 to 4.66.3, as well as specific versions of IBM Cloud Pak for Security and QRadar Suite Software.
Is there a workaround for CVE-2024-34062?
There are no known effective workarounds for CVE-2024-34062; the best solution is to upgrade to a secured version.
What type of vulnerability is CVE-2024-34062?
CVE-2024-34062 is classified as a code injection vulnerability, enabling arbitrary code execution through manipulated CLI arguments.

agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/author
collector/epss-latest
source/FIRST
agent/epss
collector/nvd-api
source/NVD
collector/github-advisory-latest
source/GitHub
alias/GHSA-g7vv-2v7x-gj9p
alias/CVE-2024-34062
agent/software-canonical-lookup
collector/github-advisory
collector/ibm-support
source/IBM
agent/severity
collector/mitre-cve
source/MITRE
agent/trending
collector/usn-cve
source/Ubuntu
agent/description
collector/launchpad-cve
source/Launchpad
collector/security-tracker-debian
source/Debian
collector/nvd-cve
agent/references
agent/last-modified-date
agent/softwarecombine
agent/tags
agent/event
agent/source
package-manager/pip
vendor/ibm
canonical/ibm cloud pak for security
version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
canonical/ibm qradar suite software
version/ibm qradar suite software/1.10.12.0 - 1.10.22.0
package-manager/debian