CVE-2024-6345

15.07.2024, 01:15

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
@huntr_ai	CNA	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 45%

Debian Releases

Debian Product

Codename

setuptools

bullseye	vulnerable
bullseye (security)	52.0.0-4+deb11u2 fixed
bookworm	66.1.1-1+deb12u1 fixed
trixie	78.1.0-1.2 fixed
sid	78.1.1-0.1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-pip

plucky	not-affected
oracular	not-affected
noble	not-affected
jammy	not-affected
focal	Fixed 20.0.2-5ubuntu1.10+esm2 released
bionic	Fixed 9.0.1-2.3~ubuntu1.18.04.8+esm4 released
xenial	Fixed 8.1.1-2ubuntu0.6+esm8 released
trusty	Fixed 1.5.4-1ubuntu4+esm5 released

python-setuptools

plucky	dne
oracular	dne
noble	dne
jammy	Fixed 44.1.1-1.2ubuntu0.22.04.1+esm1 released
focal	Fixed 44.0.0-2ubuntu0.1+esm1 released
bionic	Fixed 39.0.1-2ubuntu0.1+esm1 released
xenial	Fixed 20.7.0-1ubuntu0.1~esm2 released
trusty	Fixed 3.3-1ubuntu2+esm2 released

setuptools

plucky	not-affected
oracular	not-affected
noble	Fixed 68.1.2-2ubuntu1.1 released
jammy	Fixed 59.6.0-1.2ubuntu0.22.04.2 released
focal	Fixed 45.2.0-1ubuntu0.2 released

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5