Lucene search
Veracode Vulnerability DatabaseVERACODE:33587HistoryJan 11, 2022 - 9:05 a.m.
Remote Code Execution (RCE)
2022-01-1109:05:12
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
8
0.003 Low
EPSS
Percentile
65.3%
pipenv is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of requirements files allowing an attacker to inject a maliciously crafted string inside a comment in a requirements.txt file.
| CPE | Name | Operator | Version |
|---|---|---|---|
| pipenv | le | 2021.11.23 | |
| pipenv | le | 2021.11.23 |
References
github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f
github.com/pypa/pipenv/releases/tag/v2022.1.8
github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w
lists.fedoraproject.org/archives/list/[email protected]/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/
lists.fedoraproject.org/archives/list/[email protected]/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/
lists.fedoraproject.org/archives/list/[email protected]/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/
Related
cvelist
cvelist
nvd
nvd
CVE-2022-21668
2022-01-10 21:15:07
fedora
fedora
[SECURITY] Fedora 35 Update: pipenv-2021.5.29-7.fc35
2022-03-11 14:47:59
[SECURITY] Fedora 34 Update: pipenv-2020.11.15-3.fc34
2022-03-11 14:15:59
[SECURITY] Fedora 36 Update: pipenv-2021.5.29-7.fc36
2022-03-26 15:39:41
openvas
openvas
Fedora: Security Advisory for pipenv (FEDORA-2022-0d007466b3)
2022-03-27 00:00:00
Fedora: Security Advisory for pipenv (FEDORA-2022-508e460384)
2022-03-23 00:00:00
Fedora: Security Advisory for pipenv (FEDORA-2022-77ce20f03a)
2022-03-23 00:00:00
osv
osv
Pipenv's requirements.txt parsing allows malicious index url in comments
2022-01-12 22:29:41
CVE-2022-21668
2022-01-10 21:15:07
PYSEC-2022-6
2022-01-10 21:15:00
github
github
Pipenv's requirements.txt parsing allows malicious index url in comments
2022-01-12 22:29:41
cve
cve
CVE-2022-21668
2022-01-10 21:15:07
githubexploit
githubexploit
Exploit for Improper Input Validation in Pypa Pipenv
2022-03-26 22:50:36
prion
prion
Design/Logic Flaw
2022-01-10 21:15:00
debiancve
debiancve
CVE-2022-21668
2022-01-10 21:15:07
ubuntucve
ubuntucve
CVE-2022-21668
2022-01-10 00:00:00