CVE-2024-34528: WordOps has TOCTOU race condition
(updated )
WordOps through 3.20.0 has a wo/cli/plugins/stack_pref.py TOCTOU race condition because the conf_path os.open does not use a mode parameter during file creation.
References
- github.com/WordOps/WordOps
- github.com/WordOps/WordOps/blob/ecf20192c7853925e2cb3f8c8378cd0d86ca0d62/wo/cli/plugins/stack_pref.py
- github.com/WordOps/WordOps/commit/31353f0fef14ad8bc1f61c028971bd30b9e1909b
- github.com/WordOps/WordOps/issues/611
- github.com/advisories/GHSA-23qq-p4gq-gc2g
- github.com/pypa/advisory-database/tree/main/vulns/wordops/PYSEC-2024-175.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-34528
Code Behaviors & Features
Detect and mitigate CVE-2024-34528 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →