Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jeDYzLTJtdzYtOGh3Nc4AA94q
setuptools vulnerable to Command Injection via package URL
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jeDYzLTJtdzYtOGh3Nc4AA94q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: about 1 month ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-cx63-2mw6-8hw5, CVE-2024-6345
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-6345
- https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
- https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
- https://github.com/pypa/setuptools/pull/4332
- https://github.com/advisories/GHSA-cx63-2mw6-8hw5
Blast Radius: 43.9
Affected Packages
pypi:setuptools
Dependent packages: 7,488Dependent repositories: 97,511
Downloads: 564,892,560 last month
Affected Version Ranges: < 70.0.0
Fixed in: 70.0.0
All affected versions: 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.3.1, 1.3.2, 1.4.1, 1.4.2, 2.0.1, 2.0.2, 2.1.1, 2.1.2, 3.0.1, 3.0.2, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.1, 3.5.2, 3.7.1, 3.8.1, 4.0.1, 5.0.1, 5.0.2, 5.4.1, 5.4.2, 5.5.1, 6.0.1, 6.0.2, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.2.1, 9.0.1, 10.0.1, 10.2.1, 11.3.1, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 13.0.1, 13.0.2, 14.1.1, 14.3.1, 17.1.1, 18.0.1, 18.3.1, 18.3.2, 18.6.1, 18.7.1, 18.8.1, 19.1.1, 19.4.1, 19.6.1, 19.6.2, 20.1.1, 20.2.2, 20.3.1, 20.6.6, 20.6.7, 20.6.8, 20.7.0, 20.8.0, 20.8.1, 20.9.0, 20.10.1, 21.0.0, 21.1.0, 21.2.0, 21.2.1, 21.2.2, 22.0.0, 22.0.1, 22.0.2, 22.0.4, 22.0.5, 23.0.0, 23.1.0, 23.2.0, 23.2.1, 24.0.0, 24.0.1, 24.0.2, 24.0.3, 24.1.0, 24.1.1, 24.2.0, 24.2.1, 24.3.0, 24.3.1, 25.0.0, 25.0.1, 25.0.2, 25.1.0, 25.1.1, 25.1.2, 25.1.3, 25.1.4, 25.1.5, 25.1.6, 25.2.0, 25.3.0, 25.4.0, 26.0.0, 26.1.0, 26.1.1, 27.0.0, 27.1.0, 27.1.2, 27.2.0, 27.3.0, 27.3.1, 28.0.0, 28.1.0, 28.2.0, 28.3.0, 28.4.0, 28.5.0, 28.6.0, 28.6.1, 28.7.0, 28.7.1, 28.8.0, 28.8.1, 29.0.0, 29.0.1, 30.0.0, 30.1.0, 30.2.0, 30.2.1, 30.3.0, 30.4.0, 31.0.0, 31.0.1, 32.0.0, 32.1.0, 32.1.1, 32.1.2, 32.1.3, 32.2.0, 32.3.0, 32.3.1, 33.1.0, 33.1.1, 34.0.0, 34.0.1, 34.0.2, 34.0.3, 34.1.0, 34.1.1, 34.2.0, 34.3.0, 34.3.1, 34.3.2, 34.3.3, 34.4.0, 34.4.1, 35.0.0, 35.0.1, 35.0.2, 36.0.1, 36.1.0, 36.1.1, 36.2.0, 36.2.1, 36.2.2, 36.2.3, 36.2.4, 36.2.5, 36.2.6, 36.2.7, 36.3.0, 36.4.0, 36.5.0, 36.6.0, 36.6.1, 36.7.0, 36.7.1, 36.7.2, 36.8.0, 37.0.0, 38.0.0, 38.1.0, 38.2.0, 38.2.1, 38.2.3, 38.2.4, 38.2.5, 38.3.0, 38.4.0, 38.4.1, 38.5.0, 38.5.1, 38.5.2, 38.6.0, 38.6.1, 38.7.0, 39.0.0, 39.0.1, 39.1.0, 39.2.0, 40.0.0, 40.1.0, 40.1.1, 40.2.0, 40.3.0, 40.4.0, 40.4.1, 40.4.2, 40.4.3, 40.5.0, 40.6.0, 40.6.1, 40.6.2, 40.6.3, 40.7.0, 40.7.1, 40.7.2, 40.7.3, 40.8.0, 40.9.0, 41.0.0, 41.0.1, 41.1.0, 41.2.0, 41.3.0, 41.4.0, 41.5.0, 41.5.1, 41.6.0, 42.0.0, 42.0.1, 42.0.2, 43.0.0, 44.0.0, 44.1.0, 44.1.1, 45.0.0, 45.1.0, 45.2.0, 45.3.0, 46.0.0, 46.1.0, 46.1.1, 46.1.2, 46.1.3, 46.2.0, 46.3.0, 46.3.1, 46.4.0, 47.0.0, 47.1.0, 47.1.1, 47.2.0, 47.3.0, 47.3.1, 47.3.2, 48.0.0, 49.0.0, 49.0.1, 49.1.0, 49.1.1, 49.1.2, 49.1.3, 49.2.0, 49.2.1, 49.3.0, 49.3.1, 49.3.2, 49.4.0, 49.5.0, 49.6.0, 50.0.0, 50.0.1, 50.0.2, 50.0.3, 50.1.0, 50.2.0, 50.3.0, 50.3.1, 50.3.2, 51.0.0, 51.1.0, 51.1.1, 51.1.2, 51.2.0, 51.3.0, 51.3.1, 51.3.2, 51.3.3, 52.0.0, 53.0.0, 53.1.0, 54.0.0, 54.1.0, 54.1.1, 54.1.2, 54.1.3, 54.2.0, 56.0.0, 56.1.0, 56.2.0, 57.0.0, 57.1.0, 57.2.0, 57.3.0, 57.4.0, 57.5.0, 58.0.0, 58.0.1, 58.0.2, 58.0.3, 58.0.4, 58.1.0, 58.2.0, 58.3.0, 58.4.0, 58.5.0, 58.5.1, 58.5.2, 58.5.3, 59.0.1, 59.1.0, 59.1.1, 59.2.0, 59.3.0, 59.4.0, 59.5.0, 59.6.0, 59.7.0, 59.8.0, 60.0.0, 60.0.1, 60.0.2, 60.0.3, 60.0.4, 60.0.5, 60.1.0, 60.1.1, 60.2.0, 60.3.0, 60.3.1, 60.4.0, 60.5.0, 60.6.0, 60.7.0, 60.7.1, 60.8.0, 60.8.1, 60.8.2, 60.9.0, 60.9.1, 60.9.2, 60.9.3, 60.10.0, 61.0.0, 61.1.0, 61.1.1, 61.2.0, 61.3.0, 61.3.1, 62.0.0, 62.1.0, 62.2.0, 62.3.0, 62.3.1, 62.3.2, 62.3.3, 62.3.4, 62.4.0, 62.5.0, 62.6.0, 63.0.0, 63.1.0, 63.2.0, 63.3.0, 63.4.0, 63.4.1, 63.4.2, 63.4.3, 64.0.0, 64.0.1, 64.0.2, 64.0.3, 65.0.0, 65.0.1, 65.0.2, 65.1.0, 65.1.1, 65.2.0, 65.3.0, 65.4.0, 65.4.1, 65.5.0, 65.5.1, 65.6.0, 65.6.1, 65.6.2, 65.6.3, 65.7.0, 66.0.0, 66.1.0, 66.1.1, 67.0.0, 67.1.0, 67.2.0, 67.3.1, 67.3.2, 67.3.3, 67.4.0, 67.5.0, 67.5.1, 67.6.0, 67.6.1, 67.7.0, 67.7.1, 67.7.2, 67.8.0, 68.0.0, 68.1.0, 68.1.2, 68.2.0, 68.2.1, 68.2.2, 69.0.0, 69.0.1, 69.0.2, 69.0.3, 69.1.0, 69.1.1, 69.2.0, 69.3.0, 69.3.1, 69.4.0, 69.4.1, 69.4.2, 69.5.0, 69.5.1
All unaffected versions: 70.0.0, 70.1.0, 70.1.1, 70.2.0, 70.3.0, 71.0.0, 71.0.1, 71.0.2, 71.0.3, 71.0.4, 71.1.0, 72.0.0, 72.1.0, 72.2.0, 73.0.0, 73.0.1, 74.0.0, 74.1.0, 74.1.1, 74.1.2