VDB
PYSEC-2020-173
PYSEC-2020-173
PUBLISHED
CVSS 8.699999809265137 HIGH
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Risk Scores
CVSS v4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | pip | 0, 0, 0.2 |
Timeline
- Sep 4, 2020 CVE Published
- Nov 8, 2023 CVE Updated
References
- https://github.com/pypa/pip/compare/19.1.1...19.2 url
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html url
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html url
- https://github.com/advisories/GHSA-gpvv-69j7-gwj8 advisory
- https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html advisory
- https://github.com/pypa/pip/issues/6413 discussion
- https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace fix