Skip to content

pyxdg Arbitrary File Overwrite via Race Condition

Low severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Oct 16, 2024

Package

pip pyxdg (pip)

Affected versions

<= 0.25

Patched versions

0.26

Description

Race condition in the xdg.BaseDirectory.get_runtime_dir function in pyxdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.

References

Published by the National Vulnerability Database Jan 28, 2014
Published to the GitHub Advisory Database May 17, 2022
Reviewed Aug 16, 2023
Last updated Oct 16, 2024

Severity

Low

EPSS score

0.042%
(5th percentile)

Weaknesses

CVE ID

CVE-2014-1624

GHSA ID

GHSA-7372-q459-jxhr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.