Pip
Monthly
Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
A flaw was found in python-pip in the way it handled Unicode separators in git references. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 39.9%.
Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
A flaw was found in python-pip in the way it handled Unicode separators in git references. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 39.9%.