Lucene search

GoogleOSV:GHSA-53MR-44PP-CRF4

HistoryMay 13, 2022 - 1:11 a.m.

pip lack of randomness in build directory

2022-05-1301:11:25

Google

osv.dev

6.4 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

24.3%

JSON

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

CPENameOperatorVersion
pipeq0.8.1
pipeq1.2.1
pipeq0.4
pipeq0.3
pipeq1.5.6
pipeq1.4
pipeq0.6.3
pipeq0.7
pipeq1.2
pipeq0.7.2

Name	Operator	Version
pip	eq	0.8.1
pip	eq	1.2.1
pip	eq	0.4
pip	eq	0.3
pip	eq	1.5.6
pip	eq	1.4
pip	eq	0.6.3
pip	eq	0.7
pip	eq	1.2
pip	eq	0.7.2

Rows per page:

1-10 of 351

References

www.openwall.com/lists/oss-security/2014/11/19/17

www.openwall.com/lists/oss-security/2014/11/20/6

www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

www.securityfocus.com/bid/71209

bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847

github.com/pypa/pip

github.com/pypa/pip/commit/043fe9f5700315d97f83609c1f59deece8f1b901

github.com/pypa/pip/pull/2122

nvd.nist.gov/vuln/detail/CVE-2014-8991

6.4 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

24.3%

JSON

Related for OSV:GHSA-53MR-44PP-CRF4