Insecure Temporary File Creation
A vulnerability in versions <=69.4.2 of the setuptools package allows for insecure temporary file creation using the deprecated tempfile.mktemp() function. This issue was patched in version 70.0.1.
Available publicly on Aug 05 2024 | Available with Premium on Jun 10 2024
Threat Overview
The vulnerability arises from the use of the deprecated tempfile.mktemp() function, which does not ensure exclusive access to a temporary file. This can lead to a race condition where an attacker could create a file with the same name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process. This could potentially allow an attacker to interfere with the file, leading to data corruption or other malicious activities.
Attack Scenario
An attacker could monitor the filesystem for temporary file creation attempts by the setuptools package. When the package calls tempfile.mktemp() to generate a temporary file name, the attacker could quickly create a file with the same name before the package attempts to open it. This could lead to the package reading or writing to the attacker's file, resulting in data corruption or other malicious actions.
Who is affected
Developers and users of the setuptools package versions <=69.4.2 are affected by this vulnerability. This includes any projects that rely on setuptools for package management and distribution.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.