-
Notifications
You must be signed in to change notification settings - Fork 185
Description
Vulnerable Library - wheel-0.45.1-py3-none-any.whl
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/0b/2c/87f3254fd8ffd29e4c02732eee68a83a1d3c346ae39bc6822dcbcb697f2b/wheel-0.45.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250926144934_PIVUKC/python_BAKYJG/20250926144935/2/wheel-0.45.1-py3-none-any.whl
Vulnerabilities
| Vulnerability | Severity | CVSS | Dependency | Type | Fixed in (wheel version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-24049 | High | 7.1 | wheel-0.45.1-py3-none-any.whl | Direct | 0.46.2 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-24049
Vulnerable Library - wheel-0.45.1-py3-none-any.whl
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/0b/2c/87f3254fd8ffd29e4c02732eee68a83a1d3c346ae39bc6822dcbcb697f2b/wheel-0.45.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250926144934_PIVUKC/python_BAKYJG/20250926144935/2/wheel-0.45.1-py3-none-any.whl
Dependency Hierarchy:
- ❌ wheel-0.45.1-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Publish Date: 2026年01月22日
URL: CVE-2026-24049
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8rrh-rw8j-w5fx
Release Date: 2026年01月22日
Fix Resolution: 0.46.2
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.