CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
28.0%
A flaw was found in python-pip in the way it handled Unicode separators in
git references. A remote attacker could possibly use this issue to install
a different revision on a repository. The highest threat from this
vulnerability is to data integrity. This is fixed in python-pip version
21.1.
Author | Note |
---|---|
sbeattie | pip < 10, i.e. pip in bionic and older, parses git references differently, requiring a more significant backport |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-pip | < 9.0.1-2.3~ubuntu1.18.04.8+esm1 | UNKNOWN |
ubuntu | 14.04 | noarch | python-pip | < 8.1.1-2ubuntu0.6+esm2 | UNKNOWN |
ubuntu | 16.04 | noarch | python-pip | < 8.1.1-2ubuntu0.6+esm2 | UNKNOWN |
github.com/pypa/pip/issues/10042
github.com/pypa/pip/issues/10042#issuecomment-857452480
github.com/pypa/pip/pull/9827
github.com/skazi0/CVE-2021-3572/blob/master/CVE-2021-3572-v9.0.1.patch
launchpad.net/bugs/cve/CVE-2021-3572
nvd.nist.gov/vuln/detail/CVE-2021-3572
security-tracker.debian.org/tracker/CVE-2021-3572
ubuntu.com/security/notices/USN-4961-2
www.cve.org/CVERecord?id=CVE-2021-3572
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
28.0%