CVE-2022-21668

Name of the Vulnerable Software and Affected Versions pipenv versions 2018.10.9 through 2022.1.8

Description A flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file. This will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious --index-url option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation. The impact of successful exploitation is severe, and the overall likelihood of exploitation is low to moderate.

Recommendations For versions 2018.10.9 through 2022.1.8, update to version 2022.1.8 to resolve the issue. As a temporary workaround, consider disabling the use of comments in requirements files or restricting access to the --index-url option until a patch is available. Avoid using the --index-url option in the affected API endpoint until the issue is resolved. Restrict access to the setup.py file to minimize the risk of exploitation. Consider implementing additional security measures, such as validating the integrity of packages and dependencies, to prevent malicious code execution.