Описание
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
A flaw was found in pip. A remote attacker could exploit this path traversal vulnerability by tricking a user into installing a maliciously crafted wheel archive. This could lead to files being extracted outside the intended installation directory, potentially disclosing sensitive information.
Отчет
This LOW impact flaw in pip allows information disclosure via path traversal when installing crafted wheel archives. While files may be extracted outside the installation directory, the traversal is limited to prefixes of the installation directory, preventing injection or overwriting of executable files in typical Red Hat environments.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Lightspeed Core | lightspeed-core/dataverse-exporter-rhel9 | Fix deferred | ||
| Lightspeed Core | lightspeed-core/lightspeed-stack-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-curator5-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-rhel9-operator | Fix deferred | ||
| Migration Toolkit for Virtualization | mtv-candidate/mtv-rhel9-operator | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/kiali-rhel9-operator | Fix deferred | ||
| Pen Drive Powered by Red Hat Lightspeed | pen-drive/pen-drive-scanner-rhel9 | Fix deferred | ||
| Red Hat AI Inference Server | rhai/base-image-cpu-rhel9 | Fix deferred | ||
| Red Hat AI Inference Server | rhai/base-image-cuda-rhel9 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
3.9 Low
CVSS3
Связанные уязвимости
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
When pip is installing and extracting a maliciously crafted wheel arch ...
EPSS
3.9 Low
CVSS3