CVE-2024-22194: 
Python vulnerability analysis and mitigation

CVE-2024-22194 affects the cdo-local-uuid project at version 0.4.0 and case-utils in versions 0.5.0 through 0.14.0. The vulnerability exists in the Python functions cdo_local_uuid.local_uuid() and its original implementation case_utils.local_uuid(), which are designed to generate deterministic UUIDs (GitHub Advisory).

The vulnerability stems from an information leakage issue where under specific conditions, a user's present working directory as an absolute path was incorporated into seed data for the local_uuid() deterministic pseudorandom number stream. This occurs when a Python script housed directly in the top source directory is called following the documentation for local_uuid(). The CVSS v3.1 score is 2.2 (Low) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N (NVD).

While the vulnerability does not directly leak the present working directory, it makes it possible to determine that a chosen path can lead to a known UUIDv5 value when combined with other knowledge of how a program had been called to generate data using local_uuid(). However, it may not be possible to determine if the chosen path is the only solution to a sequence reconstruction (GitHub Advisory).

Users should upgrade to patched versions: case-utils 0.5.1, 0.6.1, 0.7.1, 0.8.1, 0.9.1, 0.10.1, 0.11.1, 0.12.1, 0.13.1, 0.14.1, or >= 0.15.0, or cdo-local-uuid 0.5.0. Alternatively, as a workaround, the script calling cdo_local_uuid.local_uuid() can be moved out of the top source directory (GitHub Advisory).