CVE-2019-13404
HIGHPython < 2.7.16 - Unprotected User Data Exposure via Default Installation Directory
Title source: llmDescription
The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://docs.python.org/2/faq/windows.html
Scores
CVSS v3
7.8
EPSS
0.0016
EPSS Percentile
36.5%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-552
Status
published
Products (1)
python/python
< 2.7.16
Published
Jul 08, 2019
Tracked Since
Feb 18, 2026