Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-21668

Опубликовано: 10 янв. 2022
Источник: nvd
CVSS3: 8
CVSS3: 8.6
CVSS2: 9.3
EPSS Низкий

Описание

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious --index-url option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by th

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:pypa:pipenv:*:*:*:*:*:*:*:*
Версия от 2018.10.9 (включая) до 2022.1.8 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

EPSS

Процентиль: 81%
0.01476
Низкий

8 High

CVSS3

8.6 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-20
CWE-190

Связанные уязвимости

ubuntu логотип

CVE-2022-21668

CVSS3: 8
ubuntu
около 4 лет назад

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by...

debian логотип

CVE-2022-21668

CVSS3: 8
debian
около 4 лет назад

pipenv is a Python development workflow tool. Starting with version 20 ...

github логотип

GHSA-qc9x-gjcv-465w

CVSS3: 8
github
около 4 лет назад

Pipenv's requirements.txt parsing allows malicious index url in comments

EPSS

Процентиль: 81%
0.01476
Низкий

8 High

CVSS3

8.6 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-20
CWE-190