CVE-2026-24049 (CNNVD-202601-3698)
中文标题:
wheel 安全漏洞
英文标题:
wheel Allows Arbitrary File Permission Modification via Path Traversal
漏洞描述
中文描述:
wheel是Python Packaging Authority开源的一个命令行工具。 wheel 0.46.1及之前版本存在安全漏洞,该漏洞源于解包函数在提取后错误处理文件权限,可能导致权限提升或任意代码执行。
英文描述:
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| pypa | wheel | < 0.46.2 | - | - |
cpe:2.3:a:pypa:wheel:<_0.46.2:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-24049 |
2026-01-23 03:20:00 | 2026-01-22 22:00:13 |
| NVD | nvd_CVE-2026-24049 |
2026-01-23 02:00:04 | 2026-01-22 22:00:17 |
| CNNVD | cnnvd_CNNVD-202601-3698 |
2026-01-26 02:10:03 | 2026-01-25 18:11:58 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202601-3698
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']