PT-2020-6270 · Pypi+8 · Pip+8

Published

2019-04-16

·

Updated

2024-06-15

·

CVE-2019-20916

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions pip versions prior to 19.2
Description The issue allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename. This can be demonstrated by overwriting the /root/.ssh/authorized keys file. The problem occurs in the download http url function in internal/download.py.
Recommendations For versions prior to 19.2, update to version 19.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of URLs in install commands to minimize the risk of exploitation. Avoid using URLs that contain ../ in filenames until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALSA-2020:4654
BDU:2021-03750
CESA-2020_4432
CESA-2020_4654
CESA-2022_5234
CVE-2019-20916
DLA-2370-1
GHSA-GPVV-69J7-GWJ8
MGASA-2021-0054
OPENSUSE-SU-2020:1598-1
OPENSUSE-SU-2020:1613-1
OPENSUSE-SU-2020:2143-1
OPENSUSE-SU-2020:2152-1
OPENSUSE-SU-2020:2169-1
OPENSUSE-SU-2020:2184-1
OPENSUSE-SU-2020:2185-1
OPENSUSE-SU-2020:2189-1
OPENSUSE-SU-2020:2190-1
OPENSUSE-SU-2020:2211-1
OPENSUSE-SU-2020_1598-1
OPENSUSE-SU-2020_1613-1
OPENSUSE-SU-2020_2143-1
OPENSUSE-SU-2020_2152-1
OPENSUSE-SU-2020_2169-1
OPENSUSE-SU-2020_2184-1
OPENSUSE-SU-2020_2185-1
OPENSUSE-SU-2020_2189-1
OPENSUSE-SU-2020_2190-1
OPENSUSE-SU-2020_2211-1
OPENSUSE-SU-2021:0270-1
OPENSUSE-SU-2021:0331-1
OPENSUSE-SU-2021_0270-1
OPENSUSE-SU-2021_0331-1
OPENSUSE-SU-2022_1454-1
OPENSUSE-SU-2024:11251-1
OPENSUSE-SU-2024:11272-1
OPENSUSE-SU-2024:11284-1
OPENSUSE-SU-2024:11285-1
OPENSUSE-SU-2024:11551-1
OPENSUSE-SU-2024:13916-1
OPENSUSE-SU-2024:14029-1
PYSEC-2020-173
RHSA-2020:4273
RHSA-2020:4285
RHSA-2020:4432
RHSA-2020:4654
RHSA-2020_4432
RHSA-2020_4654
RHSA-2022:5234
RHSA-2022_5234
RLSA-2020:4654
SUSE-FU-2021:2130-1
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-SU-2020:2698-1
SUSE-SU-2020:2726-1
SUSE-SU-2020:2784-1
SUSE-SU-2020:3016-1
SUSE-SU-2020:3563-1
SUSE-SU-2020:3565-1
SUSE-SU-2020:3566-1
SUSE-SU-2020:3593-1
SUSE-SU-2020:3594-1
SUSE-SU-2020:3596-1
SUSE-SU-2020:3597-1
SUSE-SU-2020:3599-1
SUSE-SU-2020:3737-1
SUSE-SU-2020:3765-1
SUSE-SU-2020:3865-1
SUSE-SU-2020_2698-1
SUSE-SU-2020_2784-1
SUSE-SU-2020_3565-1
SUSE-SU-2020_3566-1
SUSE-SU-2020_3593-1
SUSE-SU-2020_3594-1
SUSE-SU-2020_3596-1
SUSE-SU-2020_3597-1
SUSE-SU-2020_3599-1
SUSE-SU-2020_3737-1
SUSE-SU-2020_3765-1
SUSE-SU-2021:0344-1
SUSE-SU-2021:0355-1
SUSE-SU-2021:0428-1
SUSE-SU-2021:0432-1
SUSE-SU-2021:0529-1
SUSE-SU-2021_0344-1
SUSE-SU-2021_0355-1
SUSE-SU-2021_0428-1
SUSE-SU-2021_0432-1
SUSE-SU-2021_0529-1
SUSE-SU-2022:1454-1
SUSE-SU-2022_1454-1
SUSE-SU-2023:0516-2
SUSE-SU-2023_0516-2
USN-4601-1

Affected Products

Almalinux
Astra Linux
Centos
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Pip