Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
pip vulnerabilities and exploits
(subscribe to this query)
6.8
CVSSv2
CVE-2013-1629
pip prior to 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle malicious users to execute arbitrary code via a crafted response to a "pip install" operation.
Pypa Pip
6.8
CVSSv2
CVE-2018-20225
An issue exists in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package...
Pypa Pip
3 Github repositories
NA
CVE-2023-5752
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mer...
Pypa Pip
6 Github repositories
2.1
CVSSv2
CVE-2014-8991
pip 1.3 up to and including 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.
Pypa Pip
Oracle Solaris 11.2
2.1
CVSSv2
CVE-2013-1888
pip prior to 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.
Pypa Pip
Fedoraproject Fedora 17
Fedoraproject Fedora 18
Fedoraproject Fedora 19
4.3
CVSSv2
CVE-2013-5123
The mirroring support (-M, --use-mirrors) in Python Pip prior to 1.5 uses insecure DNS querying and authenticity checks which allows malicious users to perform man-in-the-middle attacks.
Pypa Pip
Virtualenv Virtualenv 12.0.7
Fedoraproject Fedora 20
Fedoraproject Fedora 21
Redhat Openshift 1.0
Redhat Openshift 2.0
Redhat Software Collections -
Debian Debian Linux 8.0
Debian Debian Linux 9.0
Debian Debian Linux 10.0
1 EDB exploit
5
CVSSv2
CVE-2019-20916
The pip package prior to 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in...
Pypa Pip
Opensuse Leap 15.1
Opensuse Leap 15.2
Debian Debian Linux 9.0
Oracle Communications Cloud Native Core Policy 1.15.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment 22.1.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment 1.10.0
3 Github repositories
3.5
CVSSv2
CVE-2021-3572
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip...
Pypa Pip
Oracle Agile Plm 9.3.6
Oracle Communications Cloud Native Core Policy 1.15.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment 22.1.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment 1.10.0
Oracle Communications Cloud Native Core Policy 22.1.3
3 Github repositories
5
CVSSv2
CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted i...
Python Urllib3
Fedoraproject Fedora 28
Fedoraproject Fedora 29
Fedoraproject Fedora 30
5
CVSSv2
CVE-2018-18074
The Requests package prior to 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote malicious users to discover credentials by sniffing the network.
Python Requests
Canonical Ubuntu Linux 16.04
Canonical Ubuntu Linux 18.04
Canonical Ubuntu Linux 18.10
Canonical Ubuntu Linux 14.04
Opensuse Leap 15.1
Redhat Enterprise Linux Desktop 7.0
Redhat Enterprise Linux Workstation 7.0
Redhat Enterprise Linux Server 7.0
11 Github repositories
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserialization
CVE-2024-4040
cross-site scripting
CVE-2023-25790
CVE-2024-2961
XML external entity
CVE-2024-26926
CVE-2024-32806
CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
NEXT »