CVE-2019-20916
Summary
| CVE | CVE-2019-20916 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-09-04 20:15:00 UTC |
|---|
| Updated | 2022-07-25 18:15:00 UTC |
|---|
| Description | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| pip install <url> allow directory traversal, leading to arbitrary file write · Issue #6413 · pypa/pip · GitHub |
MISC |
github.com |
Exploit, Patch, Third Party Advisory |
| [SECURITY] [DLA 2370-1] python-pip security update |
MLIST |
lists.debian.org |
Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2022 |
MISC |
www.oracle.com |
|
| [security-announce] openSUSE-SU-2020:1598-1: moderate: Security update f |
SUSE |
lists.opensuse.org |
Mailing List, Third Party Advisory |
| FIX #6413 pip install <url> allow directory traversal · gzpan123/pip@a4c735b · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| Comparing 19.1.1...19.2 · pypa/pip · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| [security-announce] openSUSE-SU-2020:1613-1: moderate: Security update f |
SUSE |
lists.opensuse.org |
Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - July 2022 |
N/A |
www.oracle.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159683 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2020-4654)
- 159694 Oracle Enterprise Linux Security Update for python-pip (ELSA-2022-9204)
- 159916 Oracle Enterprise Linux Security Update for python-virtualenv (ELSA-2022-5234)
- 174592 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2021:0344-1)
- 240489 Red Hat Update for python-virtualenv (RHSA-2022:5234)
- 257181 CentOS Security Update for python-virtualenv Security Update (CESA-2022:5234)
- 352372 Amazon Linux Security Advisory for python-pip: ALAS2-2021-1639
- 377288 Alibaba Cloud Linux Security Update for python-virtualenv (ALINUX2-SA-2022:0030)
- 670872 EulerOS Security Update for python-pip (EulerOS-SA-2020-2490)
- 750349 OpenSUSE Security Update for python3 (openSUSE-SU-2021:0331-1)
- 750365 OpenSUSE Security Update for python (openSUSE-SU-2021:0270-1)
- 750500 OpenSUSE Security Update for python (openSUSE-SU-2020:2211-1)
- 750505 OpenSUSE Security Update for python-pip (openSUSE-SU-2020:2184-1)
- 750506 OpenSUSE Security Update for python-setuptools (openSUSE-SU-2020:2185-1)
- 750507 OpenSUSE Security Update for python3 (openSUSE-SU-2020:2190-1)
- 750509 OpenSUSE Security Update for python (openSUSE-SU-2020:2189-1)
- 750516 OpenSUSE Security Update for python-pip (openSUSE-SU-2020:2169-1)
- 750520 OpenSUSE Security Update for python3 (openSUSE-SU-2020:2152-1)
- 750525 OpenSUSE Security Update for python-setuptools (openSUSE-SU-2020:2143-1)
- 750706 OpenSUSE Security Update for python (openSUSE-SU-2020:2189-1)
- 752087 SUSE Enterprise Linux Security Update for python-pip (SUSE-SU-2022:1454-1)
- 753785 SUSE Enterprise Linux Security Update for python-pip (SUSE-SU-2023:0516-2)
- 770068 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021:0436)
- 900128 CBL-Mariner Linux Security Update for python-pip 18.0
- 902924 Common Base Linux Mariner (CBL-Mariner) Security Update for python-pip (3691)
- 940032 AlmaLinux Security Update for python27:2.7 (ALSA-2020:4654)
- 940053 AlmaLinux Security Update for python-pip (ALSA-2020:4432)
- 960365 Rocky Linux Security Update for python27:2.7 (RLSA-2020:4654)
- 982340 Python (pip) Security Update for pip (GHSA-gpvv-69j7-gwj8)
