Skip to content

setuptools vulnerable to Command Injection via package URL

High severity GitHub Reviewed Published Jul 15, 2024 to the GitHub Advisory Database • Updated Jul 15, 2024

Package

pip setuptools (pip)

Affected versions

< 70.0.0

Patched versions

70.0.0

Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

References

Published by the National Vulnerability Database Jul 15, 2024
Published to the GitHub Advisory Database Jul 15, 2024
Reviewed Jul 15, 2024
Last updated Jul 15, 2024

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2024-6345

GHSA ID

GHSA-cx63-2mw6-8hw5

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.