pipenv is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of requirements files allowing an attacker to inject a maliciously crafted string inside a comment in a requirements.txt file.
CPE | Name | Operator | Version |
---|---|---|---|
pipenv | le | 2021.11.23 | |
pipenv | le | 2021.11.23 |
github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f
github.com/pypa/pipenv/releases/tag/v2022.1.8
github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w
lists.fedoraproject.org/archives/list/[email protected]/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/
lists.fedoraproject.org/archives/list/[email protected]/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/
lists.fedoraproject.org/archives/list/[email protected]/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/