Miggo Logo
Miggo Vulnerability Database
CVE-2016-10075

CVE-2016-10075:
TDQM Arbitrary Code Execution

7.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-10075
GHSA ID
GHSA-r7q7-xcjw-qx8q
EPSS Score
0.26324%
CWE
CWE-94
Published
5/14/2022
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tqdmpip= 4.4.14.11.2
tqdmpip= 4.10.04.11.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from tqdm's version checking mechanism in _version.py, which in affected versions executed 'git log' commands. This allowed attackers to craft a git repository with malicious configs (e.g., [gpg] program) that would execute arbitrary code when tqdm is imported. The GitHub issue #328 and subsequent fix in PR #330 confirm the vulnerable pattern was replaced with direct .git file parsing instead of executing git commands. Though the exact function name isn't specified in available resources, the version generation logic in _version.py is clearly identified as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `tq*m._v*rsion` mo*ul* in tq*m v*rsions *.*.* *n* *.** *llows lo**l us*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** r*po wit* * m*li*ious *it lo* in t** *urr*nt workin* *ir**tory.

Reasoning

T** vuln*r**ility st*ms *rom tq*m's v*rsion ****kin* m****nism in _v*rsion.py, w*i** in *****t** v*rsions *x**ut** '*it lo*' *omm*n*s. T*is *llow** *tt**k*rs to *r**t * *it r*pository wit* m*li*ious *on*i*s (*.*., [*p*] pro*r*m) t**t woul* *x**ut* *r