cvelistv5 - cve-2022-21668

CVE-2022-21668 (GCVE-0-2022-21668)

Vulnerability from cvelistv5

Published

2022-01-10 20:20

Modified

2024-08-03 02:46

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation
CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-427 - Uncontrolled Search Path Element
CWE-791 - Incomplete Filtering of Special Elements

Summary

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.

References

►

URL

Tags

security-advisories@github.com	https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/pypa/pipenv/releases/tag/v2022.1.8	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w	Exploit, Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/pipenv/releases/tag/v2022.1.8	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/	Mailing List

Impacted products

	Vendor	Product	Version
	pypa	pipenv	Version: >= 2018.10.9, < 2022.1.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:39.543Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
          },
          {
            "name": "FEDORA-2022-77ce20f03a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/"
          },
          {
            "name": "FEDORA-2022-508e460384",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/"
          },
          {
            "name": "FEDORA-2022-0d007466b3",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pipenv",
          "vendor": "pypa",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2018.10.9, \u003c 2022.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-791",
              "description": "CWE-791: Incomplete Filtering of Special Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-26T17:06:41",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
        },
        {
          "name": "FEDORA-2022-77ce20f03a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/"
        },
        {
          "name": "FEDORA-2022-508e460384",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/"
        },
        {
          "name": "FEDORA-2022-0d007466b3",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/"
        }
      ],
      "source": {
        "advisory": "GHSA-qc9x-gjcv-465w",
        "discovery": "UNKNOWN"
      },
      "title": "Pipenv\u0027s requirements.txt parsing allows malicious index url in comments",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21668",
          "STATE": "PUBLIC",
          "TITLE": "Pipenv\u0027s requirements.txt parsing allows malicious index url in comments"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "pipenv",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 2018.10.9, \u003c 2022.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "pypa"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20: Improper Input Validation"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-427: Uncontrolled Search Path Element"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-791: Incomplete Filtering of Special Elements"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w",
              "refsource": "CONFIRM",
              "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
            },
            {
              "name": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f",
              "refsource": "MISC",
              "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
            },
            {
              "name": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8",
              "refsource": "MISC",
              "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
            },
            {
              "name": "FEDORA-2022-77ce20f03a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/"
            },
            {
              "name": "FEDORA-2022-508e460384",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/"
            },
            {
              "name": "FEDORA-2022-0d007466b3",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-qc9x-gjcv-465w",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-21668",
    "datePublished": "2022-01-10T20:20:16",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-08-03T02:46:39.543Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-21668\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-01-10T21:15:07.853\",\"lastModified\":\"2024-11-21T06:45:11.590\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.\"},{\"lang\":\"es\",\"value\":\"pipenv es una herramienta de flujo de trabajo de desarrollo de Python. A partir de la versi\u00f3n 2018.10.9 y versiones anteriores a 2022.1.8, un defecto en el an\u00e1lisis de archivos de requisitos de pipenv permite a un atacante insertar una cadena especialmente dise\u00f1ada dentro de un comentario en cualquier lugar dentro de un archivo requirements.txt, lo que causar\u00e1 que las v\u00edctimas que usan pipenv para instalar el archivo de requisitos descarguen dependencias de un servidor de \u00edndice de paquetes controlado por el atacante. Al insertar c\u00f3digo malicioso en los paquetes servidos desde su servidor de \u00edndice malicioso, el atacante puede desencadenar una ejecuci\u00f3n de c\u00f3digo remota (RCE) arbitraria en los sistemas de las v\u00edctimas. Si un atacante es capaz de ocultar una opci\u00f3n maliciosa \\\"--index-url\\\" en un archivo de requisitos que una v\u00edctima instala con pipenv, el atacante puede insertar c\u00f3digo malicioso arbitrario en paquetes servidos desde su servidor de \u00edndice malicioso que ser\u00e1 ejecutado en el host de la v\u00edctima durante la instalaci\u00f3n (ejecuci\u00f3n de c\u00f3digo remota/RCE). Cuando pip instala desde una distribuci\u00f3n de origen, cualquier c\u00f3digo en el archivo setup.py es ejecutado por el proceso de instalaci\u00f3n. Este problema est\u00e1 parcheado en versi\u00f3n 2022.1.8. El aviso de seguridad de GitHub contiene m\u00e1s informaci\u00f3n sobre esta vulnerabilidad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-427\"},{\"lang\":\"en\",\"value\":\"CWE-791\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"},{\"lang\":\"en\",\"value\":\"CWE-1284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pypa:pipenv:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2018.10.9\",\"versionEndExcluding\":\"2022.1.8\",\"matchCriteriaId\":\"1E34F343-93E1-4EB7-A3AC-C89D14AA14EF\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}],\"references\":[{\"url\":\"https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pypa/pipenv/releases/tag/v2022.1.8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pypa/pipenv/releases/tag/v2022.1.8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}"
  }
}

fkie_cve-2022-21668

Vulnerability from fkie_nvd

Published

2022-01-10 21:15

Modified

2024-11-21 06:45

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
8.6 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/pypa/pipenv/releases/tag/v2022.1.8	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w	Exploit, Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/pipenv/releases/tag/v2022.1.8	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/	Mailing List

Impacted products

Vendor	Product	Version
pypa	pipenv	*
fedoraproject	fedora	34
fedoraproject	fedora	35
fedoraproject	fedora	36

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pypa:pipenv:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E34F343-93E1-4EB7-A3AC-C89D14AA14EF",
              "versionEndExcluding": "2022.1.8",
              "versionStartIncluding": "2018.10.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
              "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability."
    },
    {
      "lang": "es",
      "value": "pipenv es una herramienta de flujo de trabajo de desarrollo de Python. A partir de la versi\u00f3n 2018.10.9 y versiones anteriores a 2022.1.8, un defecto en el an\u00e1lisis de archivos de requisitos de pipenv permite a un atacante insertar una cadena especialmente dise\u00f1ada dentro de un comentario en cualquier lugar dentro de un archivo requirements.txt, lo que causar\u00e1 que las v\u00edctimas que usan pipenv para instalar el archivo de requisitos descarguen dependencias de un servidor de \u00edndice de paquetes controlado por el atacante. Al insertar c\u00f3digo malicioso en los paquetes servidos desde su servidor de \u00edndice malicioso, el atacante puede desencadenar una ejecuci\u00f3n de c\u00f3digo remota (RCE) arbitraria en los sistemas de las v\u00edctimas. Si un atacante es capaz de ocultar una opci\u00f3n maliciosa \"--index-url\" en un archivo de requisitos que una v\u00edctima instala con pipenv, el atacante puede insertar c\u00f3digo malicioso arbitrario en paquetes servidos desde su servidor de \u00edndice malicioso que ser\u00e1 ejecutado en el host de la v\u00edctima durante la instalaci\u00f3n (ejecuci\u00f3n de c\u00f3digo remota/RCE). Cuando pip instala desde una distribuci\u00f3n de origen, cualquier c\u00f3digo en el archivo setup.py es ejecutado por el proceso de instalaci\u00f3n. Este problema est\u00e1 parcheado en versi\u00f3n 2022.1.8. El aviso de seguridad de GitHub contiene m\u00e1s informaci\u00f3n sobre esta vulnerabilidad"
    }
  ],
  "id": "CVE-2022-21668",
  "lastModified": "2024-11-21T06:45:11.590",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.3,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-10T21:15:07.853",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-77"
        },
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-427"
        },
        {
          "lang": "en",
          "value": "CWE-791"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        },
        {
          "lang": "en",
          "value": "CWE-1284"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2022-21668

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-21668

Aliases

CVE-2022-21668

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-21668",
    "description": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.",
    "id": "GSD-2022-21668"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-21668"
      ],
      "details": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.",
      "id": "GSD-2022-21668",
      "modified": "2023-12-13T01:19:14.865125Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-21668",
        "STATE": "PUBLIC",
        "TITLE": "Pipenv\u0027s requirements.txt parsing allows malicious index url in comments"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "pipenv",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 2018.10.9, \u003c 2022.1.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "pypa"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-427: Uncontrolled Search Path Element"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-791: Incomplete Filtering of Special Elements"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w",
            "refsource": "CONFIRM",
            "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
          },
          {
            "name": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f",
            "refsource": "MISC",
            "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
          },
          {
            "name": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8",
            "refsource": "MISC",
            "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
          },
          {
            "name": "FEDORA-2022-77ce20f03a",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/"
          },
          {
            "name": "FEDORA-2022-508e460384",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/"
          },
          {
            "name": "FEDORA-2022-0d007466b3",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qc9x-gjcv-465w",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2018.10.9,\u003c2022.1.8",
          "affected_versions": "All versions starting from 2018.10.9 before 2022.1.8",
          "cvss_v2": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2022-01-12",
          "description": "pipenv is a Python development workflow tool. Starting with and, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process.",
          "fixed_versions": [
            "2022.1.8"
          ],
          "identifier": "CVE-2022-21668",
          "identifiers": [
            "GHSA-qc9x-gjcv-465w",
            "CVE-2022-21668"
          ],
          "not_impacted": "All versions before 2018.10.9, all versions starting from 2022.1.8",
          "package_slug": "pypi/pipenv",
          "pubdate": "2022-01-12",
          "solution": "Upgrade to version 2022.1.8 or above.",
          "title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
          "urls": [
            "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w",
            "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-21668",
            "https://github.com/pypa/pipenv/releases/tag/v2022.1.8",
            "https://github.com/advisories/GHSA-qc9x-gjcv-465w"
          ],
          "uuid": "b2ab9838-0c2b-4fc8-8ecd-74fb2b7d81a3"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:pypa:pipenv:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "1E34F343-93E1-4EB7-A3AC-C89D14AA14EF",
                    "versionEndExcluding": "2022.1.8",
                    "versionStartIncluding": "2018.10.9",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                    "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability."
          },
          {
            "lang": "es",
            "value": "pipenv es una herramienta de flujo de trabajo de desarrollo de Python. A partir de la versi\u00f3n 2018.10.9 y versiones anteriores a 2022.1.8, un defecto en el an\u00e1lisis de archivos de requisitos de pipenv permite a un atacante insertar una cadena especialmente dise\u00f1ada dentro de un comentario en cualquier lugar dentro de un archivo requirements.txt, lo que causar\u00e1 que las v\u00edctimas que usan pipenv para instalar el archivo de requisitos descarguen dependencias de un servidor de \u00edndice de paquetes controlado por el atacante. Al insertar c\u00f3digo malicioso en los paquetes servidos desde su servidor de \u00edndice malicioso, el atacante puede desencadenar una ejecuci\u00f3n de c\u00f3digo remota (RCE) arbitraria en los sistemas de las v\u00edctimas. Si un atacante es capaz de ocultar una opci\u00f3n maliciosa \"--index-url\" en un archivo de requisitos que una v\u00edctima instala con pipenv, el atacante puede insertar c\u00f3digo malicioso arbitrario en paquetes servidos desde su servidor de \u00edndice malicioso que ser\u00e1 ejecutado en el host de la v\u00edctima durante la instalaci\u00f3n (ejecuci\u00f3n de c\u00f3digo remota/RCE). Cuando pip instala desde una distribuci\u00f3n de origen, cualquier c\u00f3digo en el archivo setup.py es ejecutado por el proceso de instalaci\u00f3n. Este problema est\u00e1 parcheado en versi\u00f3n 2022.1.8. El aviso de seguridad de GitHub contiene m\u00e1s informaci\u00f3n sobre esta vulnerabilidad"
          }
        ],
        "id": "CVE-2022-21668",
        "lastModified": "2024-02-07T19:25:22.970",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "HIGH",
              "cvssData": {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "COMPLETE",
                "baseScore": 9.3,
                "confidentialityImpact": "COMPLETE",
                "integrityImpact": "COMPLETE",
                "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              "exploitabilityScore": 8.6,
              "impactScore": 10.0,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": true
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 6.0,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.0,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.3,
              "impactScore": 6.0,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2022-01-10T21:15:07.853",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes",
              "Third Party Advisory"
            ],
            "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Third Party Advisory"
            ],
            "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-1284"
              },
              {
                "lang": "en",
                "value": "CWE-190"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-20"
              },
              {
                "lang": "en",
                "value": "CWE-427"
              },
              {
                "lang": "en",
                "value": "CWE-77"
              },
              {
                "lang": "en",
                "value": "CWE-78"
              },
              {
                "lang": "en",
                "value": "CWE-791"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

pysec-2022-6

Vulnerability from pysec

Published

2022-01-10 21:15

Modified

2022-01-19 19:22

Details

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious --index-url option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.

Impacted products

Name	purl
pipenv	pkg:pypi/pipenv

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pipenv",
        "purl": "pkg:pypi/pipenv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "439782a8ae36c4762c88e43d5f0d8e563371b46f"
            }
          ],
          "repo": "https://github.com/pypa/pipenv",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2018.10.9"
            },
            {
              "fixed": "2022.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2018.10.13",
        "2018.10.9",
        "2018.11.14",
        "2018.11.26",
        "2020.11.15",
        "2020.11.4",
        "2020.4.1b1",
        "2020.4.1b2",
        "2020.5.28",
        "2020.6.2",
        "2020.8.13",
        "2021.11.15",
        "2021.11.23",
        "2021.11.5",
        "2021.11.5.post0",
        "2021.11.9",
        "2021.5.29"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21668",
    "GHSA-qc9x-gjcv-465w"
  ],
  "details": "pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv\u0027s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.",
  "id": "PYSEC-2022-6",
  "modified": "2022-01-19T19:22:23.694218Z",
  "published": "2022-01-10T21:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
    },
    {
      "type": "FIX",
      "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
    }
  ]
}

ghsa-qc9x-gjcv-465w

Vulnerability from github

Published

2022-01-12 22:29

Modified

2024-10-11 21:22

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

Pipenv's requirements.txt parsing allows malicious index url in comments

Details

Issue Summary

Due to a flaw in pipenv's parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with "pipenv install -r requirements.txt") to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems.

Impact

The impact of successful exploitation is severe/critical.

If an attacker is able to hide a malicious --index-url option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). Exploitation using this technique would be relatively simple to achieve for an attacker with basic knowledge of Python, as the attacker can simply build a source distribution for any of the packages specified in the requirements file, and embed arbitrary malicious code in the setup.py file. When pip installs from a source distribution, any code in the setup.py is executed by the install process.

Basic attacks might use the initial RCE triggered when a victim installs the attacker's malicious package to steal credentials from the victim's host, leach the host's resources to mine cryptocurrency, or install exploit kits or other malware. More sophisticated attackers may use more advanced techniques to persist access to the victim's host, hide or remove evidence of their attack by deleting references to the malicious index server in the Pipfile and Pipfile.lock generated by pipenv or other potential indicators of compromise. Highly sophisticated attackers could attempt to pivot to additional targets from the initial compromised host, and might leverage any exposed credentials in the compromised host environment or implicit authorization granted to the host to gain privileged access to other systems or resources, such as source repositories or package registries.

Likelihood

The overall likelihood of exploitation is low to moderate depending on a range of factors.

The primary hurdle to successful exploitation of this vulnerability depends on an attacker's ability to surreptitiously insert a specially crafted string into a requirements.txt file which will be installed by a victim (or victims). Unfortunately, because the attacker can insert this string into a comment, the attacker's ability to evade suspicion is greatly increased, and they may even be able to hide the initial payload in plain sight if a victim assumes that comments will be ignored by pipenv as expected.

In many common usage contexts — for example in environments where a requirements file is used to lock or "freeze" dependency versions for reproducible builds — requirements files can often become quite large, particularly when leveraging pip's integrity checking, which requires every dependency specified in the requirements file to includes hashes for all of its distribution files. In such cases, a malicious actor might mask an exploitation attempt by opening a pull request ostensibly to update or "bump" the project's dependencies to their latest versions, but surreptitiously insert a malicious —index-url option amidst the many other changes associated with updating the dependencies in a lock file. As these dependency updates often result in hundreds or even thousands of changes spread across the requirements file and are not easy to review manually, such an attack could be difficult to identify or prevent without tools or other mitigating controls.

Moreover, because the argparse module is used to parse the --index-url, --extra-index-url, and --trusted-host options, an attacker's ability to obfuscate their payload and hide their malicious intent is even more greatly enhanced, as the attacker may use abbreviated option names, which are supported by default with argparse. For example, an attacker can insert the string, "--t pypi.org" into a comment anywhere in the requirements file, which will automatically be expanded to "--trusted-host pypi.org" during processing by pipenv. This "--trusted-host pypi.org" option will disable SSL/TLS validation when pipenv attempts to connect to the default/official package index server (https://pypi.org/simple), and could allow a malicious index server to pose as the pipi.org index server in a man-in-the-middle attack.

Setting up the malicious index server to serve compromised package versions is relatively simple, even for a non-sophisticated attacker. As pip uses a simple directory format for serving packages, the malicious packages simply need to be placed in the correct folder structure and served using an HTTP server with autoindex enabled (e.g. python3 -m http.server).

Packaging up the exploit code into the malicious package versions would also be trivial for an attacker with basic knowledge of Python development, as the attacker can simply clone the source code for any of the packages specified in the requirements file, embed their malicious exploit code in the cloned package's setup.py file, and then build a source distribution of the package. When pip installs a package from a source distribution, any code in the setup.py is executed by the install process.

Additional Context & Details

According to the requirements file format specification (https://pip.pypa.io/en/stable/reference/requirements-file-format/#comments), any lines which begin with a "#" character, and/or any text in a line following a whitespace and a "#" character, should be interpreted as a comment which will be removed/ignored during processing of the requirements file.

However, due to a flaw in pipenv's parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with "pipenv install -r requirements.txt") to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker is then able to gain arbitrary remote code execution on the victims' systems.

The vulnerable requirements file parsing code is in the parse_indexes(str: line) function of the pipenv.utils module:

https://github.com/pypa/pipenv/blob/cdde3f7bcee6bacba89538f73aba9401337be10c/pipenv/utils.py#L2061-L2078

This function is called iteratively on each line of a requirements file, and uses the argparse module to find and process --index-url, --extra-index-url, and --trusted-host options (and variations thereof). However, it does not ignore these options when they appear in comments, or validate that these options appear on their own lines as required by the requirements file specification (see: https://pip.pypa.io/en/stable/reference/requirements-file-format/#global-options). The options can also be abbreviated due to default behavior provided by the argparse.ArgumentParser object used to parse these options in the requirements file, so that --trusted-host and --t will be treated as equivalent by pipenv, for example.

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/pypa/pipenv/ * Contact the pipenv maintainers: * Dan Ryan * Tzu-ping Chung * Nate Prewitt * Contact the contributor who discovered the issue and authored this report: * Chris Passarello

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pipenv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2018.10.9"
            },
            {
              "fixed": "2022.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-10T21:52:02Z",
    "nvd_published_at": "2022-01-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Issue Summary\nDue to a flaw in pipenv\u0027s parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with \"`pipenv install -r requirements.txt`\") to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims\u0027 systems.\n\n### Impact\nThe impact of successful exploitation is **severe/critical**.\n\nIf an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim\u0027s host during installation (remote code execution/RCE). Exploitation using this technique would be relatively simple to achieve for an attacker with basic knowledge of Python, as the attacker can simply build a source distribution for any of the packages specified in the requirements file, and embed arbitrary malicious code in the setup.py file. When pip installs from a source distribution, any code in the setup.py is executed by the install process.\n\nBasic attacks might use the initial RCE triggered when a victim installs the attacker\u0027s malicious package to steal credentials from the victim\u0027s host, leach the host\u0027s resources to mine cryptocurrency, or install exploit kits or other malware. More sophisticated attackers may use more advanced techniques to persist access to the victim\u0027s host, hide or remove evidence of their attack by deleting references to the malicious index server in the Pipfile and Pipfile.lock generated by pipenv or other potential indicators of compromise. Highly sophisticated attackers could attempt to pivot to additional targets from the initial compromised host, and might leverage any exposed credentials in the compromised host environment or implicit authorization granted to the host to gain privileged access to other systems or resources, such as source repositories or package registries.\n\n### Likelihood\nThe overall likelihood of exploitation is **low to moderate** depending on a range of factors.\n\nThe primary hurdle to successful exploitation of this vulnerability depends on an attacker\u0027s ability to surreptitiously insert a specially crafted string into a requirements.txt file which will be installed by a victim (or victims). Unfortunately, because the attacker can insert this string into a comment, the attacker\u0027s ability to evade suspicion is greatly increased, and they may even be able to hide the initial payload in plain sight if a victim assumes that comments will be ignored by pipenv as expected.\n\nIn many common usage contexts \u2014 for example in environments where a requirements file is used to lock or \"freeze\" dependency versions for reproducible builds \u2014 requirements files can often become quite large, particularly when leveraging pip\u0027s integrity checking, which requires every dependency specified in the requirements file to includes hashes for all of its distribution files. In such cases, a malicious actor might mask an exploitation attempt by opening a pull request ostensibly to update or \"bump\" the project\u0027s dependencies to their latest versions, but surreptitiously insert a malicious `\u2014index-url` option amidst the many other changes associated with updating the dependencies in a lock file. As these dependency updates often result in hundreds or even thousands of changes spread across the requirements file and are not easy to review manually, such an attack could be difficult to identify or prevent without tools or other mitigating controls.\n\nMoreover, because the `argparse` module is used to parse the `--index-url`, `--extra-index-url`, and `--trusted-host` options, an attacker\u0027s ability to obfuscate their payload and hide their malicious intent is even more greatly enhanced, as the attacker may use abbreviated option names, which are supported by default with `argparse`. For example, an attacker can insert the string, \"`--t pypi.org`\" into a comment anywhere in the requirements file, which will automatically be expanded to \"`--trusted-host pypi.org`\" during processing by pipenv. This \"`--trusted-host pypi.org`\" option will disable SSL/TLS validation when pipenv attempts to connect to the default/official package index server (https://pypi.org/simple), and could allow a malicious index server to pose as the pipi.org index server in a man-in-the-middle attack.\n\nSetting up the malicious index server to serve compromised package versions is relatively simple, even for a non-sophisticated attacker. As `pip` uses a simple directory format for serving packages, the malicious packages simply need to be placed in the correct folder structure and served using an HTTP server with autoindex enabled (e.g. `python3 -m http.server`).\n\nPackaging up the exploit code into the malicious package versions would also be trivial for an attacker with basic knowledge of Python development, as the attacker can simply clone the source code for any of the packages specified in the requirements file, embed their malicious exploit code in the cloned package\u0027s setup.py file, and then build a source distribution of the package. When pip installs a package from a source distribution, any code in the setup.py is executed by the install process.\n\n### Additional Context \u0026 Details\nAccording to the requirements file format specification (https://pip.pypa.io/en/stable/reference/requirements-file-format/#comments), any lines which begin with a \"#\" character, and/or any text in a line following a whitespace and a \"#\" character, should be interpreted as a comment which will be removed/ignored during processing of the requirements file.\n\nHowever, due to a flaw in pipenv\u0027s parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with \"`pipenv install -r requirements.txt`\") to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker is then able to gain arbitrary remote code execution on the victims\u0027 systems.\n\nThe vulnerable requirements file parsing code is in the parse_indexes(str: line) function of the pipenv.utils module:\n\nhttps://github.com/pypa/pipenv/blob/cdde3f7bcee6bacba89538f73aba9401337be10c/pipenv/utils.py#L2061-L2078\n\nThis function is called iteratively on each line of a requirements file, and uses the argparse module to find and process `--index-url`, `--extra-index-url`, and `--trusted-host` options (and variations thereof). However, it does not ignore these options when they appear in comments, or validate that these options appear on their own lines as required by the requirements file specification (see: https://pip.pypa.io/en/stable/reference/requirements-file-format/#global-options). The options can also be abbreviated due to default behavior provided by the `argparse.ArgumentParser` object used to parse these options in the requirements file, so that `--trusted-host` and `--t` will be treated as equivalent by pipenv, for example.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/pypa/pipenv/](https://github.com/pypa/pipenv/)\n* Contact the pipenv maintainers:\n  * [Dan Ryan](https://github.com/techalchemy)\n  * [Tzu-ping Chung](https://github.com/uranusjr)\n  * [Nate Prewitt](https://github.com/nateprewitt)\n* Contact the contributor who discovered the issue and authored this report:\n  * [Chris Passarello](https://github.com/milo-minderbinder)",
  "id": "GHSA-qc9x-gjcv-465w",
  "modified": "2024-10-11T21:22:02Z",
  "published": "2022-01-12T22:29:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21668"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pipenv/PYSEC-2022-6.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pypa/pipenv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/pipenv/releases/tag/v2022.1.8"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pipenv\u0027s requirements.txt parsing allows malicious index url in comments"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-21668 (GCVE-0-2022-21668)

Vulnerability from cvelistv5

fkie_cve-2022-21668

Vulnerability from fkie_nvd

gsd-2022-21668

Vulnerability from gsd

pysec-2022-6

Vulnerability from pysec

ghsa-qc9x-gjcv-465w

Vulnerability from github

Issue Summary

Impact

Likelihood

Additional Context & Details

For more information

Tags

Sightings

Nomenclature