CVE-2019-16784

HIGH

PyInstaller <3.6 - Privilege Escalation

Title source: llm

Description

In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).

Exploits (2)

nomisec WORKING POC 1 stars
by AlterSolutions · poc
https://github.com/AlterSolutions/PyInstallerPrivEsc
nomisec WORKING POC
by Ckrielle · poc
https://github.com/Ckrielle/CVE-2019-16784-POC

References (1)

Scores

CVSS v3 7.0
EPSS 0.0322
EPSS Percentile 87.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-250 CWE-732
Status published
Products (2)
pyinstaller/pyinstaller < 3.6
pypi/PyInstaller 0 - 3.6PyPI
Published Jan 14, 2020
Tracked Since Feb 18, 2026