Lucene search

K

Pip Security Vulnerabilities

cve
cve

CVE-2013-1629

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.

7.3AI Score

0.004EPSS

2013-08-06 02:52 AM
62
2
cve
cve

CVE-2013-1888

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.

6AI Score

0.0004EPSS

2013-08-17 06:54 AM
51
2
cve
cve

CVE-2013-5123

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

5.9CVSS

5.4AI Score

0.002EPSS

2019-11-05 10:15 PM
64
cve
cve

CVE-2014-8991

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

5.4AI Score

0.001EPSS

2014-11-24 03:59 PM
32
2
cve
cve

CVE-2018-20225

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not a...

7.8CVSS

7.5AI Score

0.001EPSS

2020-05-08 06:15 PM
274
cve
cve

CVE-2019-20916

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.p...

7.5CVSS

7.6AI Score

0.004EPSS

2020-09-04 08:15 PM
656
3
cve
cve

CVE-2021-3572

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

5.7CVSS

5.8AI Score

0.001EPSS

2021-11-10 06:15 PM
235
4
cve
cve

CVE-2023-5752

When installing a package from a Mercurial VCS URL (ie "pip installhg+...") with pip prior to v23.3, the specified Mercurial revision couldbe used to inject arbitrary configuration options to the "hg clone"call (ie "--config"). Controlling the Mercurial configuration can modifyhow and which reposit...

5.5CVSS

4AI Score

0.0004EPSS

2023-10-25 06:17 PM
83