PT-2023-23380 · Pypi · Pipreqs

Adeadfed

Publicado

2023-06-30

Atualizado

2023-07-10

CVE-2023-31543

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions pipreqs versions 0.3.0 through 0.4.11

Description A dependency confusion in pipreqs allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server.

Recommendations For pipreqs versions 0.3.0 through 0.4.11, consider updating to a version outside of this range to mitigate the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Uncontrolled Search Path Element

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-427

Identificadores relacionados

CVE-2023-31543

GHSA-V4F4-23WC-99MH

OPENSUSE-SU-2024:13041-1

PYSEC-2023-99

Produtos afetados

Pipreqs

PT-2023-23380 · Pypi · Pipreqs

CVE-2023-31543

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 12