Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdwdnYtNjlqNy1nd2o4

Path Traversal in pip

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.

Permalink: https://github.com/advisories/GHSA-gpvv-69j7-gwj8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdwdnYtNjlqNy1nd2o4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-gpvv-69j7-gwj8, CVE-2019-20916
References:

Repository: https://github.com/pypa/pip
Blast Radius: 34.1

Affected Packages

pypi:pip

Dependent packages: 902
Dependent repositories: 35,613
Downloads: 352,870,441 last month
Affected Version Ranges: < 19.2
Fixed in: 19.2
All affected versions: 0.2.1, 0.3.1, 0.5.1, 0.6.1, 0.6.2, 0.6.3, 0.7.1, 0.7.2, 0.8.1, 0.8.2, 0.8.3, 1.0.1, 1.0.2, 1.2.1, 1.3.1, 1.4.1, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.1.1, 8.1.2, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 19.0.1, 19.0.2, 19.0.3, 19.1.1
All unaffected versions: 19.2.1, 19.2.2, 19.2.3, 19.3.1, 20.0.1, 20.0.2, 20.1.1, 20.2.1, 20.2.2, 20.2.3, 20.2.4, 20.3.1, 20.3.2, 20.3.3, 20.3.4, 21.0.1, 21.1.1, 21.1.2, 21.1.3, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 21.3.1, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.1.1, 22.1.2, 22.2.1, 22.2.2, 22.3.1, 23.0.1, 23.1.1, 23.1.2, 23.2.1, 23.3.1, 23.3.2