Login Sign Up

CVE-2022-21699

8.2 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-21699 is an arbitrary code execution vulnerability in IPython where improper management of cross-user temporary files allows one user to execute code as another user on the same system. This affects all IPython users on multi-user systems where IPython is installed. The vulnerability stems from insecure temporary file handling that enables privilege escalation.

💻 Affected Systems

Products:
  • IPython
Versions: All versions before 8.0.1
Operating Systems: Linux, Unix-like systems, macOS, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects multi-user systems where IPython is installed and multiple users have shell access. Single-user systems are not vulnerable to privilege escalation aspect.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ipython by Ipython

View all CVEs affecting Ipython →

Ipython by Ipython

View all CVEs affecting Ipython →

Ipython by Ipython

View all CVEs affecting Ipython →

Ipython by Ipython

View all CVEs affecting Ipython →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise where an attacker gains root privileges through privilege escalation chains, potentially leading to complete system takeover, data exfiltration, or lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing a low-privileged user to execute code as another user, potentially accessing sensitive data or performing unauthorized actions under another user's context.

🟢

If Mitigated

Limited impact with proper user isolation, where only users with shell access to the same system could potentially exploit each other, but network-based attacks would be prevented.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring shell access to the target system, not directly exploitable over the network.
🏢 Internal Only: HIGH - On multi-user systems (development servers, shared hosting, academic clusters), this poses significant risk as any user could potentially escalate privileges to other users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local shell access to the target system. The vulnerability is well-documented in the advisory with technical details that make weaponization straightforward for attackers with shell access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.1 and later

Vendor Advisory: https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

Restart Required: No

Instructions:

1. Upgrade IPython using pip: 'pip install --upgrade ipython>=8.0.1' 2. Verify installation: 'ipython --version' should show 8.0.1 or higher 3. For system packages, use your distribution's package manager: 'apt update && apt upgrade ipython' (Debian/Ubuntu) or 'yum update ipython' (RHEL/CentOS)

🔧 Temporary Workarounds

Temporary directory hardening

linux

Set secure permissions on IPython temporary directories to prevent cross-user access

chmod 700 ~/.ipython
chmod 700 /tmp/ipython-* 2>/dev/null || true

Use isolated environments

all

Run IPython in containerized or virtualized environments with proper user isolation

docker run -it --rm python:3.9 ipython
python -m venv myenv && source myenv/bin/activate && pip install ipython

🧯 If You Can't Patch

  • Implement strict user isolation policies on multi-user systems to limit shell access
  • Monitor for suspicious file operations in /tmp and user home directories, particularly symlink attacks targeting IPython temporary files

🔍 How to Verify

Check if Vulnerable:

Check IPython version: 'ipython --version' and compare to 8.0.1. Versions below 8.0.1 are vulnerable.

Check Version:

ipython --version

Verify Fix Applied:

After upgrade, verify version is 8.0.1 or higher: 'ipython --version' and test that temporary files created by IPython have secure permissions.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file operations in /tmp directory by IPython processes
  • Symlink creation attempts in user home directories
  • Multiple IPython processes running under different user IDs accessing same temporary files

Network Indicators:

  • Not applicable - this is a local vulnerability

SIEM Query:

process_name:"ipython" AND file_path:"/tmp/ipython-*" AND (file_operation:"symlink" OR file_operation:"hardlink")

📊 Metadata

CVE ID: CVE-2022-21699
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-250
Published: January 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21699, you might also want to check these:

CVE-2022-1517 10.0

CVE-2022-1517 is a critical vulnerability in LRM (likely a network management system) that allows un...

Same vulnerability type (CWE-250)
CVE-2025-32445 9.9

This CVE allows authenticated users with EventSource/Sensor CRUD permissions in Argo Events to escal...

Same vulnerability type (CWE-250)
CVE-2024-8767 9.9

This CVE allows attackers to access and manipulate sensitive data due to excessive privileges assign...

Same vulnerability type (CWE-250)