CVE-2024-6345

EUVD-2024-2330

15.07.2024, 01:15

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 90%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
python	setuptools	69.1.1 ≤ 𝑥 < 70.0	ADP

Debian Releases

Debian Product

Codename

setuptools

bookworm	66.1.1-1+deb12u2 fixed
bullseye	vulnerable
bullseye (security)	52.0.0-4+deb11u2 fixed
forky	78.1.1-0.1 fixed
sid	78.1.1-0.1 fixed
trixie	78.1.1-0.1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-setuptools

bionic	Fixed 39.0.1-2ubuntu0.1+esm1 released
focal	Fixed 44.0.0-2ubuntu0.1+esm1 released
jammy	Fixed 44.1.1-1.2ubuntu0.22.04.1+esm1 released
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	Fixed 3.3-1ubuntu2+esm2 released
xenial	Fixed 20.7.0-1ubuntu0.1~esm2 released

python-pip

bionic	Fixed 9.0.1-2.3~ubuntu1.18.04.8+esm4 released
focal	Fixed 20.0.2-5ubuntu1.10+esm2 released
jammy	not-affected
noble	not-affected
oracular	not-affected
plucky	not-affected
questing	not-affected
trusty	Fixed 1.5.4-1ubuntu4+esm5 released
xenial	Fixed 8.1.1-2ubuntu0.6+esm8 released

setuptools

focal	Fixed 45.2.0-1ubuntu0.2 released
jammy	Fixed 59.6.0-1.2ubuntu0.22.04.2 released
noble	Fixed 68.1.2-2ubuntu1.1 released
oracular	not-affected
plucky	not-affected
questing	not-affected

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html