CVE-2022-21699: Execution with Unnecessary Privileges in ipython

Q: What is CVE-2022-21699?

CVE-2022-21699 is an arbitrary code execution vulnerability in IPython.

Q: Which versions of IPython are affected by CVE-2022-21699?

IPython versions up to 5.10.0, versions 6.0.0 to 7.16.3, versions 7.17.0 to 7.31.1, and versions 8.0.0 to 8.0.1 are affected.

Q: How can I fix CVE-2022-21699?

Update IPython to a version that is not affected by the vulnerability.

Q: What is the severity of CVE-2022-21699?

CVE-2022-21699 has a severity score of 8.8 (high).

Q: Where can I find more information about CVE-2022-21699?

You can find more information about CVE-2022-21699 at the following references: [Reference 1](https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668), [Reference 2](https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x), [Reference 3](https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699).

Published Jan 19, 2022

Updated

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.

Other sources

IPython could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper managing of cross user temporary files. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code as another user on the same machine.

— IBM

We’d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another. Proof of concept

User1: mkdir -m 777 /tmp/profiledefault mkdir -m 777 /tmp/profiledefault/startup echo 'print("stealing your private secrets")' > /tmp/profiledefault/startup/foo.py

User2: cd /tmp ipython

User2 will see: Python 3.9.7 (default, Oct 25 2021, 01:04:21) Type 'copyright', 'credits' or 'license' for more information IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help. stealing your private secrets

Patched release and documentation

See https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699,

Version 8.0.1, 7.31.1 for current Python version are recommended. Version 7.16.3 has also been published for Python 3.6 users, Version 5.11 (source only, 5.x branch on github) for older Python versions.

— GitHub

Affected Software

15 affected componentsFixes available

pip/ipython>=8.0.0<8.0.1

8.0.1

pip/ipython>=7.17.0<7.31.1

7.31.1

pip/ipython>=6.0.0<7.16.3

7.16.3

pip/ipython<5.11

5.11

IPython IPython<=5.10.0

IPython IPython>=6.0.0<7.16.3

IPython IPython>=7.17.0<7.31.1

IPython IPython>=8.0.0<8.0.1

Debian Debian Linux=9.0

Debian Debian Linux=10.0

Debian Debian Linux=11.0

Fedoraproject Fedora=34

Fedoraproject Fedora=35

IBM Watson Studio on Cloud Pak for Data<=4.0

IBM Watson Studio on Cloud Pak for Data<=5.0

Remediation

Patch Available

https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668

Event History

Jan 19, 2022

CVE Published

via MITRE·09:15 PM

Data Sourced

via MITRE·09:15 PM

DescriptionSeverityWeakness

Jan 21, 2022

Advisory Published

via GitHub·06:55 PM

Aug 28, 2025

Data Sourced

via IBM·12:00 AM

DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

IBM-7243389

Frequently Asked Questions

What is CVE-2022-21699?

CVE-2022-21699 is an arbitrary code execution vulnerability in IPython.

Which versions of IPython are affected by CVE-2022-21699?