9 results (0.005 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. Al instalar un paquete desde una URL de Mercurial VCS (es decir, "pip install hg+...") con pip anterior a v23.3, la revisión de Mercurial especificada podría usarse para inyectar opciones de configuración arbitrarias a la llamada "hg clone" (es decir, " --config”). Controlar la configuración de Mercurial puede modificar cómo y qué repositorio se instala. • https://github.com/pypa/pip/pull/12306 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E https://lists.fedorap • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 2

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. • https://github.com/sreeram281997/CVE-2022-21668-Pipenv-RCE-vulnerability https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f https://github.com/pypa/pipenv/releases/tag/v2022.1.8 https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT https:// • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-190: Integer Overflow or Wraparound CWE-427: Uncontrolled Search Path Element CWE-791: Incomplete Filtering of Special Elements CWE-1284: Improper Validation of Specified Quantity in Input •

CVSS: 5.7EPSS: 0%CPEs: 6EXPL: 1

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. Se ha encontrado un fallo en python-pip en la forma en que maneja los separadores Unicode en las referencias git. • https://github.com/frenzymadness/CVE-2021-3572 https://bugzilla.redhat.com/show_bug.cgi?id=1962856 https://security.netapp.com/advisory/ntap-20240621-0006 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-3572 • CWE-20: Improper Input Validation •

CVSS: 8.0EPSS: 0%CPEs: 7EXPL: 1

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. El paquete pip versiones anteriores a 19.2 para Python, permite un Salto de Directorio cuando una URL es proporcionada en un comando de instalación, porque un encabezado Content-Disposition puede tener ../ en un nombre de archivo, como es demostrado al sobrescribir el archivo /root/.ssh/authorized_keys. Esto ocurre en la función _download_http_url en el archivo _internal/download.py A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace https://github.com/pypa/pip/compare/19.1.1...19.2 https://github.com/pypa/pip/issues/6413 https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.ht • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely ** EN DISPUTA ** Se detectó un problema en pip (todas las versiones) porque instala la versión con el número de versión más alto, incluso si el usuario tenía la intención de obtener un paquete privado desde un índice privado. Esto solo afecta el uso de la opción --extra-index-url, y una explotación requiere que el paquete aún no exista en el índice público (y, por lo tanto, el atacante puede colocar el paquete allí con un número de versión arbitrario). NOTA: se ha informado que esta es la funcionalidad prevista y el usuario es responsable de usar --extra-index-url de forma segura. • https://bugzilla.redhat.com/show_bug.cgi?id=1835736 https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E https://pip.pypa.io/en/stable/news • CWE-20: Improper Input Validation •