IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the set_term_title function under specific conditions. This has been patched in version 8.10.0.
Impact
Users are only vulnerable when calling this function in Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool, set_term_title could introduce a vulnerability for dependencies. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user to cd into this directory, then the attacker can execute arbitrary commands contained in the folder names.
References
IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the
set_term_titlefunction under specific conditions. This has been patched in version 8.10.0.Impact
Users are only vulnerable when calling this function in Windows in a Python environment where ctypes is not available. The dependency on ctypes in
IPython.utils._process_win32prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool,set_term_titlecould introduce a vulnerability for dependencies. Currentlyset_term_titleis only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user tocdinto this directory, then the attacker can execute arbitrary commands contained in the folder names.References