CVE-2022-21699 Overview
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. CVE-2022-21699 affects IPython installations where improper management of cross-user temporary files enables arbitrary code execution. This vulnerability allows one user to run code as another user on the same machine, representing a significant local privilege escalation risk in multi-user environments.
The vulnerability stems from insecure handling of configuration file paths, where IPython would include the current working directory in its configuration file search path. An attacker with local access could place a malicious configuration file in a shared directory, which would then be loaded when another user starts IPython from that location.
Critical Impact
Local attackers can achieve arbitrary code execution as another user, enabling privilege escalation and unauthorized system access on multi-user systems.
Affected Products
- IPython versions prior to 8.0.1
- Debian Linux 9.0, 10.0, and 11.0
- Fedora 34 and 35
Discovery Timeline
- 2022-01-19 - CVE-2022-21699 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21699
Vulnerability Analysis
CVE-2022-21699 is an arbitrary code execution vulnerability caused by improper privilege management (CWE-269) and execution with unnecessary privileges (CWE-250). The core issue lies in how IPython handles configuration file discovery during startup.
When IPython initializes, it searches for configuration files in multiple locations. Prior to the security fix, the application would include the current working directory (os.getcwd()) as a default configuration file path. This behavior becomes dangerous in multi-user environments where users might run IPython from shared directories such as /tmp, project directories, or network shares.
An attacker could exploit this by placing a malicious IPython configuration file (such as ipython_config.py) in a directory where other users are likely to launch IPython. When a victim user starts IPython from that directory, the malicious configuration would be loaded and executed with the victim's privileges.
Root Cause
The vulnerability originates from the _config_file_paths_default method in IPython/core/application.py. This method returned [os.getcwd()] as the default configuration file search path, causing IPython to automatically trust and load configuration files from the current working directory regardless of ownership or permissions.
This design flaw violates the principle of least privilege by trusting user-controllable file locations for security-sensitive configuration loading.
Attack Vector
The attack requires local access to the target system. An attacker with a low-privileged account can exploit this vulnerability without any user interaction beyond the victim starting IPython in a directory containing the attacker's malicious configuration file.
Exploitation Scenario:
- Attacker identifies a shared directory where other users run IPython (e.g., /tmp, shared project folder)
- Attacker creates a malicious ipython_config.py file in that directory
- Victim user navigates to the shared directory and launches IPython
- IPython loads the attacker's configuration file, executing arbitrary Python code with the victim's privileges
The following patch removes the vulnerable default configuration path:
config_file_paths = List(Unicode())
@default('config_file_paths')
def _config_file_paths_default(self):
- return [os.getcwd()]
+ return []
extra_config_file = Unicode(
help="""Path to an extra config file to load.
Source: GitHub Commit
Additionally, the patch added CVE tracking to the IPython codebase:
__license__ = release.license
__version__ = release.version
version_info = release.version_info
+# list of CVEs that should have been patched in this release.
+# this is informational and should not be relied upon.
+__patched_cves__ = {"CVE-2022-21699"}
+
def embed_kernel(module=None, local_ns=None, **kwargs):
"""Embed and start an IPython kernel in a given scope.
Source: GitHub Commit
Detection Methods for CVE-2022-21699
Indicators of Compromise
- Presence of unexpected ipython_config.py or ipython_config.json files in shared directories like /tmp, /var/tmp, or common project directories
- IPython configuration files owned by different users than those running IPython
- Unusual process execution originating from IPython sessions, particularly network connections or file access outside normal patterns
- Configuration files in shared directories with recent modification timestamps
Detection Strategies
- Monitor for creation of IPython configuration files in world-writable or shared directories using file integrity monitoring tools
- Implement process ancestry tracking to detect unusual child processes spawned from IPython instances
- Use application whitelisting to detect when IPython loads configuration from non-standard paths
- Deploy endpoint detection rules that alert on ipython_config.py file creation in directories outside user home folders
Monitoring Recommendations
- Enable file access auditing on shared directories to detect potential staging of malicious configuration files
- Monitor IPython process execution context, particularly when launched from shared or temporary directories
- Implement SentinelOne Singularity platform for behavioral detection of suspicious code execution patterns originating from Python interpreters
- Review system logs for IPython sessions initiated from unusual working directories
How to Mitigate CVE-2022-21699
Immediate Actions Required
- Upgrade IPython to version 8.0.1 or later immediately on all affected systems
- Audit shared directories for suspicious IPython configuration files and remove any unauthorized files
- Review user activity logs for any signs of exploitation or privilege escalation
- Consider restricting IPython execution to user home directories in high-security environments
Patch Information
The vulnerability is fixed in IPython version 8.0.1. The fix removes the current working directory from the default configuration file search path, preventing IPython from automatically loading potentially untrusted configuration files.
Patch details are available in the GitHub Security Advisory and the IPython 8.0.1 Release Notes.
Distribution-specific updates are available for Debian and Fedora.
Workarounds
- Avoid running IPython from shared or world-writable directories until the patch is applied
- Set the IPYTHONDIR environment variable to explicitly specify a trusted configuration directory before launching IPython
- Remove write permissions for other users from directories where IPython is commonly executed
- Use Python virtual environments with isolated IPython installations to minimize exposure
# Set explicit IPython configuration directory
export IPYTHONDIR="${HOME}/.ipython"
# Verify no suspicious config files exist in current directory before launching
ls -la ipython_config.* 2>/dev/null && echo "WARNING: Config file found in current directory"
# Launch IPython only after verification
ipython
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
