High severity7.7NVD Advisory· Published May 6, 2024· Updated Apr 15, 2026
CVE-2024-34528
CVE-2024-34528
Description
WordOps through 3.20.0 has a wo/cli/plugins/stack_pref.py TOCTOU race condition because the conf_path os.open does not use a mode parameter during file creation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wordopsPyPI | < 3.21.0 | 3.21.0 |
Patches
11 file changed · +2 −4
wo/cli/plugins/stack_pref.py+2 −4 modified@@ -3,6 +3,7 @@ import random import shutil import string +import stat import psutil import requests @@ -71,11 +72,8 @@ def pre_pref(self, apt_packages): Log.debug(self, 'Writting configuration into MySQL file') conf_path = "/etc/mysql/conf.d/my.cnf.tmp" os.makedirs(os.path.dirname(conf_path), exist_ok=True) - with open(conf_path, encoding='utf-8', - mode='w') as configfile: + with os.fdopen(os.open(conf_path, os.O_WRONLY | os.O_CREAT, 0o600), 'w', encoding='utf-8') as configfile: config.write(configfile) - Log.debug(self, 'Setting my.cnf permission') - WOFileUtils.chmod(self, "/etc/mysql/conf.d/my.cnf.tmp", 0o600) # add nginx repository if set(WOVar.wo_nginx).issubset(set(apt_packages)):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-23qq-p4gq-gc2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34528ghsaADVISORY
- github.com/WordOps/WordOps/blob/ecf20192c7853925e2cb3f8c8378cd0d86ca0d62/wo/cli/plugins/stack_pref.pynvdWEB
- github.com/WordOps/WordOps/commit/31353f0fef14ad8bc1f61c028971bd30b9e1909bghsaWEB
- github.com/WordOps/WordOps/issues/611nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/wordops/PYSEC-2024-175.yamlghsaWEB
News mentions
0No linked articles in our index yet.