CVE-2022-26488: 
Python vulnerability analysis and mitigation

In Python before 3.10.3 on Windows, a privilege escalation vulnerability (CVE-2022-26488) was discovered where local users could gain elevated privileges due to inadequately secured search paths. This vulnerability affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2. The issue was discovered by the Lockheed Martin Red Team and reported to the Python Security Response Team (Python Security).

The vulnerability occurs when Python is installed for all users with the 'Add Python to PATH' option selected. The installer may allow a local attacker to add user-writable directories to the system search path. The vulnerability has a CVSS score of 7.0 (HIGH) with a vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Security).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability enables search-path hijacking of other users and system services, potentially allowing attackers to escalate privileges on the affected system (NetApp Security).

The vulnerability can be mitigated by updating to Python versions 3.11.0b1, 3.10.3, 3.9.11 (with installers), or 3.8.13 and 3.7.13 (source code only). Alternatively, users can modify an existing installation to disable the 'Add Python to PATH' or 'Add Python to environment variables' option. Manually adding the install directory to PATH is not affected by this vulnerability (Python Security).