CVE-2019-13404
Last modified
CVE-2019-13404 is a vulnerability of currently unknown severity. The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x. EPSS estimates a 1.26% chance of exploitation in the next 30 days.
Description
The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | <= 2.7.16 |
| Python | Python | >= 3.0.0, < 3.5.0 |
References
- https://docs.python.org/2/faq/windows.htmlVendor Advisory
- https://docs.python.org/2/faq/windows.htmlVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-13404?
How severe is CVE-2019-13404?
How do I fix CVE-2019-13404?
Are you affected by CVE-2019-13404?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST