CVE-2022-26488 is an escalation of privilege vulnerability in the
Windows installer for the following releases of CPython:
* 3.11.0a6 and earlier
* 3.10.2 and earlier
* 3.9.10 and earlier
* 3.8.12 and earlier
* 3.7.12 and earlier
* All end-of-life releases of 3.5 and 3.6
The vulnerability exists when installed for all users with the "Add
Python to PATH" option selected. A local user without administrative
permissions can trigger a repair operation of this PATH option to add
incorrect additional paths to the system PATH variable, and then use
search path hijacking to achieve escalation of privilege. Per-user
installs (the default) are also affected, but cannot be used for
escalation of privilege.
Besides updating, this vulnerability may be mitigated by modifying an
existing install to disable the "Add Python to PATH" or "Add Python to
environment variables" option. Manually adding the install directory to
PATH is not affected.
Issue: https://bugs.python.org/issue46948
Patches
* main: https://github.com/python/cpython/pull/31726
* 3.10: https://github.com/python/cpython/pull/31727
* 3.9: https://github.com/python/cpython/pull/31728
* 3.8: https://github.com/python/cpython/pull/31729
* 3.7: https://github.com/python/cpython/pull/31730
The next patched releases on python.org will be 3.11.0b1, 3.10.3 and
3.9.11 with installers, and 3.8.13 and 3.7.13 as source code only.
Thanks to the Lockheed Martin Red Team for detecting and reporting the
issue to the Python Security Response Team.
Discussion to security-sig(a)python.org.
Cheers,
Steve Dower
Python Security Response Team
