Product:

Pip

(Pypa)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 8
Date Id Summary Products Score Patch Annotated
2020-09-04 CVE-2019-20916 The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. Debian_linux, Leap, Communications_cloud_native_core_network_function_cloud_native_environment, Communications_cloud_native_core_policy, Pip 7.5
2021-11-10 CVE-2021-3572 A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. Agile_plm, Communications_cloud_native_core_network_function_cloud_native_environment, Communications_cloud_native_core_policy, Pip 5.7
2014-11-24 CVE-2014-8991 pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. Solaris, Pip N/A
2013-08-17 CVE-2013-1888 pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. Fedora, Pip N/A
2013-08-06 CVE-2013-1629 pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation. Pip N/A
2019-11-05 CVE-2013-5123 The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. Debian_linux, Fedora, Pip, Openshift, Software_collections, Virtualenv N/A