Описание
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an attacker who controls a malicious server to execute arbitrary code on the system.
Отчет
This issue has been rated as having Moderate impact because of the preconditions needed to trigger the flaw: it only affects Python Wheels and requires the user to pip-install a wheel from a malicious server. Installing software from untrusted servers is insecure by definition and strongly discouraged, as it may lead to system compromise regardless of this CVE.
This flaw did not affect the versions of python-pip in Python 3.8 as shipped with Red Hat Enterprise Linux 8 and Red Hat Software Collections 3, as they already included the fix for this CVE.
Меры по смягчению последствий
Avoid downloading or installing packages from potentially malicious servers via the command-line "pip download" or "pip install".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | python-pip | Will not fix | ||
| Red Hat Enterprise Linux 8 | python38:3.8/python3x-pip | Not affected | ||
| Red Hat Software Collections | rh-python38-python-pip | Not affected | ||
| Red Hat Enterprise Linux 7 | python-virtualenv | Fixed | RHSA-2022:5234 | 28.06.2022 |
| Red Hat Enterprise Linux 8 | python-pip | Fixed | RHSA-2020:4432 | 04.11.2020 |
| Red Hat Enterprise Linux 8 | python27 | Fixed | RHSA-2020:4654 | 04.11.2020 |
| Red Hat Enterprise Linux 8 | python-pip | Fixed | RHSA-2020:4432 | 04.11.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-python36-python | Fixed | RHSA-2020:4285 | 19.10.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-python36-python-pip | Fixed | RHSA-2020:4285 | 19.10.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-python36-python-virtualenv | Fixed | RHSA-2020:4285 | 19.10.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
8 High
CVSS3
Связанные уязвимости
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
The pip package before 19.2 for Python allows Directory Traversal when ...
EPSS
8 High
CVSS3