PT-2024-5237 · Pypa+11 · Setuptools+11

Published

2024-07-14

·

Updated

2026-05-18

·

CVE-2024-6345

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions: pypa/setuptools versions up to 69.1.1
Description: A vulnerability in the package index module of pypa/setuptools allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.
Recommendations: For pypa/setuptools versions up to 69.1.1, update to version 70.0 to resolve the issue. As a temporary workaround, consider restricting the use of the download functions in the package index module to minimize the risk of exploitation. Avoid using user-controlled inputs, such as package URLs, in the affected download functions until the issue is resolved.

Fix

RCE

Code Injection

Weakness Enumeration

CWE-94

Related Identifiers

ALSA-2024:5279
ALSA-2024:5530
ALSA-2024:5531
ALSA-2024:5532
ALSA-2024:5533
ALSA-2024:5534
ALSA-2024:5962
ALSA-2024:6309
ALSA-2024:6311
ALSA-2024:6726
ALT-PU-2024-15879
ALT-PU-2024-15964
ALT-PU-2025-3089
AZL-43326
AZL-43329
AZL-60199
BDU:2024-05843
BIT-SETUPTOOLS-2024-6345
CESA-2024_5530
CESA-2024_5531
CESA-2024_5532
CESA-2024_5962
CESA-2024_6309
CESA-2024_6311
CLEANSTART-2026-EQ71754
CLEANSTART-2026-NR68832
CVE-2024-6345
DLA-3876-1
ECHO-A9D4-B82A-F3C2
GHSA-CX63-2MW6-8HW5
INFSA-2024_5279
INFSA-2024_5530
INFSA-2024_5531
INFSA-2024_5532
INFSA-2024_5533
INFSA-2024_5534
INFSA-2024_5962
INFSA-2024_6309
INFSA-2024_6311
INFSA-2024_6726
MGASA-2025-0056
OESA-2024-1931
OPENSUSE-SU-2024:14294-1
OPENSUSE-SU-2024_3054-1
OPENSUSE-SU-2024_3055-1
RHSA-2024:5000
RHSA-2024:5002
RHSA-2024:5040
RHSA-2024:5078
RHSA-2024:5084
RHSA-2024:5137
RHSA-2024:5279
RHSA-2024:5389
RHSA-2024:5530
RHSA-2024:5531
RHSA-2024:5532
RHSA-2024:5533
RHSA-2024:5534
RHSA-2024:5962
RHSA-2024:6220
RHSA-2024:6309
RHSA-2024:6311
RHSA-2024:6312
RHSA-2024:6488
RHSA-2024:6611
RHSA-2024:6612
RHSA-2024:6661
RHSA-2024:6662
RHSA-2024:6726
RHSA-2024:6907
RHSA-2024:8168
RHSA-2024:8170
RHSA-2024:8171
RHSA-2024:8172
RHSA-2024:8173
RHSA-2024:8179
RHSA-2024_5279
RHSA-2024_5530
RHSA-2024_5531
RHSA-2024_5532
RHSA-2024_5533
RHSA-2024_5534
RHSA-2024_5962
RHSA-2024_6309
RHSA-2024_6311
RHSA-2024_6726
RLSA-2024:5279
RLSA-2024:5530
RLSA-2024:5531
RLSA-2024:5532
RLSA-2024:5533
RLSA-2024:6726
ROSA-SA-2024-2512
ROSA-SA-2024-2513
SUSE-SU-2024:2899-1
SUSE-SU-2024:2900-1
SUSE-SU-2024:2904-1
SUSE-SU-2024:2906-1
SUSE-SU-2024:2907-1
SUSE-SU-2024:2950-1
SUSE-SU-2024:3054-1
SUSE-SU-2024:3055-1
SUSE-SU-2024:4020-1
SUSE-SU-2024:4021-1
SUSE-SU-2024:4029-1
SUSE-SU-2024_2899-1
SUSE-SU-2024_2900-1
SUSE-SU-2024_2906-1
SUSE-SU-2024_2907-1
SUSE-SU-2024_2950-1
SUSE-SU-2024_3054-1
SUSE-SU-2024_3055-1
SUSE-SU-2025:20053-1
USN-7002-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Ibm Aix
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Setuptools