Name of the Vulnerable Software and Affected Versions pip versions prior to 19.2

Description The issue allows Directory Traversal when a URL is given in an install command. This is because a Content-Disposition header can contain ../ in a filename. For example, it can be used to overwrite the /root/.ssh/authorized keys file. The problem is located in the download http url function within internal/download.py.

Recommendations For versions prior to 19.2, update to version 19.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of URLs in install commands to minimize the risk of exploitation.