{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:12:52", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/pypa/pip/issues/6413"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pypa/pip/compare/19.1.1...19.2"}, {"name": "[debian-lts-announce] 20200911 [SECURITY] [DLA 2370-1] python-pip security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html"}, {"name": "openSUSE-SU-2020:1598", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html"}, {"name": "openSUSE-SU-2020:1613", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-20916", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/pypa/pip/issues/6413", "refsource": "MISC", "url": "https://github.com/pypa/pip/issues/6413"}, {"name": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace", "refsource": "MISC", "url": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace"}, {"name": "https://github.com/pypa/pip/compare/19.1.1...19.2", "refsource": "MISC", "url": "https://github.com/pypa/pip/compare/19.1.1...19.2"}, {"name": "[debian-lts-announce] 20200911 [SECURITY] [DLA 2370-1] python-pip security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html"}, {"name": "openSUSE-SU-2020:1598", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html"}, {"name": "openSUSE-SU-2020:1613", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:17.373Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pypa/pip/issues/6413"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pypa/pip/compare/19.1.1...19.2"}, {"name": "[debian-lts-announce] 20200911 [SECURITY] [DLA 2370-1] python-pip security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html"}, {"name": "openSUSE-SU-2020:1598", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html"}, {"name": "openSUSE-SU-2020:1613", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-20916", "datePublished": "2020-09-04T19:20:55", "dateReserved": "2020-09-04T00:00:00", "dateUpdated": "2024-08-05T03:00:17.373Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*", "matchCriteriaId": "903FF43B-79F2-4F2A-BC24-12D52398B309", "versionEndExcluding": "19.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2A5B24D-BDF2-423C-98EA-A40778C01A05", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "04E6C8E9-2024-496C-9BFD-4548A5B44E2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py."}, {"lang": "es", "value": "El paquete pip versiones anteriores a 19.2 para Python, permite un Salto de Directorio cuando una URL es proporcionada en un comando de instalaci\u00f3n, porque un encabezado Content-Disposition puede tener ../ en un nombre de archivo, como es demostrado al sobrescribir el archivo /root/.ssh/authorized_keys. Esto ocurre en la funci\u00f3n _download_http_url en el archivo _internal/download.py"}], "id": "CVE-2019-20916", "lastModified": "2024-11-21T04:39:40.913", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-04T20:15:11.013", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/pypa/pip/compare/19.1.1...19.2"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/pypa/pip/issues/6413"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pypa/pip/compare/19.1.1...19.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/pypa/pip/issues/6413"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5234", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-virtualenv-0:15.1.0-7.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-06-28T00:00:00Z"}, {"advisory": "RHSA-2020:4432", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python-pip-0:9.0.3-18.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2020:4654", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8030020200819165638.851f4228", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2020:4432", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python-pip-0:9.0.3-18.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-python36-python-0:3.6.12-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-python36-python-pip-0:9.0.1-5.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-python36-python-virtualenv-0:15.1.0-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.18-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-pip-0:8.1.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-virtualenv-0:13.1.0-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.12-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-pip-0:9.0.1-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-virtualenv-0:15.1.0-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.18-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-pip-0:8.1.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-virtualenv-0:13.1.0-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.12-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-pip-0:9.0.1-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-virtualenv-0:15.1.0-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.18-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-pip-0:8.1.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4273", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-virtualenv-0:13.1.0-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.12-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-pip-0:9.0.1-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4285", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-virtualenv-0:15.1.0-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-10-19T00:00:00Z"}], "bugzilla": {"description": "python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py", "id": "1868135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868135"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-22", "details": ["The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.", "A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the \"Content-Disposition\" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an attacker who controls a malicious server to execute arbitrary code on the system."], "mitigation": {"lang": "en:us", "value": "Avoid downloading or installing packages from potentially malicious servers via the command-line \"pip download\" or \"pip install\"."}, "name": "CVE-2019-20916", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python38:3.8/python3x-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python38-python-pip", "product_name": "Red Hat Software Collections"}], "public_date": "2019-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-20916\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-20916"], "statement": "This issue has been rated as having Moderate impact because of the preconditions needed to trigger the flaw: it only affects Python Wheels and requires the user to pip-install a wheel from a malicious server. Installing software from untrusted servers is insecure by definition and strongly discouraged, as it may lead to system compromise regardless of this CVE.\nThis flaw did not affect the versions of `python-pip` in Python 3.8 as shipped with Red Hat Enterprise Linux 8 and Red Hat Software Collections 3, as they already included the fix for this CVE.", "threat_severity": "Moderate"}