CVE-2024-4030: tempfile.mkdtemp() may be readable and writeable by all users on Windows
First published: Tue May 07 2024(Updated: )
On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions.
Credit: cna@python.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Python Babel Localedata | = |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/python/cpython/commit/35c799d79177b962ddace2fa068101465570a29a
- https://github.com/python/cpython/commit/5130731c9e779b97d00a24f54cdce73ce9975dfd
- https://github.com/python/cpython/commit/66f8bb76a15e64a1bb7688b177ed29e26230fdee
- https://github.com/python/cpython/commit/6d0850c4c8188035643586ab4d8ec2468abd699e
- https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e
- https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d
- https://github.com/python/cpython/commit/91e3669e01245185569d09e9e6e11641282971ee
- https://github.com/python/cpython/commit/94591dca510c796c7d40e9b4167ea56f2fdf28ca
- https://github.com/python/cpython/commit/c8f868dc52f98011d0f9b459b6487920bfb0ac4d
- https://github.com/python/cpython/commit/d86b49411753bf2c83291e3a14ae43fefded2f84
- https://github.com/python/cpython/commit/e1dfa978b1ad210d551385ad8073ec6154f53763
- https://github.com/python/cpython/commit/eb29e2f5905da93333d1ce78bc98b151e763ff46
- https://github.com/python/cpython/issues/118486
- https://mail.python.org/archives/list/security-announce@python.org/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636/
- https://security.netapp.com/advisory/ntap-20240705-0005/
Frequently Asked Questions
What is the severity of CVE-2024-4030?
CVE-2024-4030 has not been assigned a severity score yet, but it poses a risk due to improper permissions on temporary directories.
How do I fix CVE-2024-4030?
To fix CVE-2024-4030, update your Python installation to the latest version that includes the security patch.
What systems are affected by CVE-2024-4030?
CVE-2024-4030 affects Windows systems running affected versions of Python.
What are the potential impacts of CVE-2024-4030?
The potential impacts of CVE-2024-4030 include unauthorized access to temporary files created by Python applications.
When was CVE-2024-4030 discovered?
CVE-2024-4030 was disclosed in 2024, though specific discovery dates may vary depending on reports.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/references
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/description
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/python
- canonical/python babel localedata