Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
3.5
CVSSv2

CVE-2021-3572

Published: 10/11/2021 Updated: 05/10/2022
CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8
CVSS v3 Base Score: 5.7 | Impact Score: 3.6 | Exploitability Score: 2.1
VMScore: 312
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
Subscribe to Pypa

Vulnerability Summary

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pypa pip

oracle agile plm 9.3.6

oracle communications cloud native core policy 1.15.0

oracle communications cloud native core network function cloud native environment 22.1.0

oracle communications cloud native core network function cloud native environment 1.10.0

oracle communications cloud native core policy 22.1.3

Vendor Advisories

Red Hat: Important: Red Hat OpenShift GitOps security update
Synopsis Important: Red Hat OpenShift GitOps security update Type/Severity Security Advisory: Important Topic An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 12 (GitOps v122)Re ...
Red Hat: Moderate: Red Hat OpenShift distributed tracing 2.1.0 security update
Synopsis Moderate: Red Hat OpenShift distributed tracing 210 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Openshit distributed tracing 21Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, ...
Red Hat: Important: Release of containers for OSP 16.2 director operator tech preview
Synopsis Important: Release of containers for OSP 162 director operator tech preview Type/Severity Security Advisory: Important Topic Red Hat OpenStack Platform 162 (Train) director Operator containers areavailable for technology preview Description Release osp-director-operator imagesSecurity Fix(es): golang: net/http: limit growth of h ...
Red Hat: Moderate: Red Hat Advanced Cluster Management 2.2.11 security updates and bug fixes
Synopsis Moderate: Red Hat Advanced Cluster Management 2211 security updates and bug fixes Type/Severity Security Advisory: Moderate Topic Red Hat Advanced Cluster Management for Kubernetes 2211 General Availability release images, which provide one or more container updates and bug fixesRed Hat Product Security has rated this update as ...
Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.5.4 security update
Synopsis Moderate: Migration Toolkit for Containers (MTC) 154 security update Type/Severity Security Advisory: Moderate Topic The Migration Toolkit for Containers (MTC) 154 is now availableRed Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score, whichg ...
Amazon Linux 2: ALAS2-2022-1742
A flaw was found in python-urllib3 SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate This means certificates for different servers that still validate properly with the defaul ...
Arch Linux Issues:
A security issue has been found in pip before version 211 Maliciously formatted tags could be used to hijack a commit-based pin Using the fact that all of unicode's whitespace characters were allowed as separators - which git allows as a part of a tag name - it is possible to force a different revision to be installed if an attacker gains access ...

Github Repositories

https://github.com/litios/cve_2021_3572-old-pip

CVE-2021-3572 POC for older pip Instructions Run: pip3 install git+githubcom/litios/cve_2021_3572-old-pipgit@good When listing the installed modules with pip3 list, the output should be: cve-2021-3572 (12) if the package is affected, otherwise, you should get: cve-2021-3572 (10)

https://github.com/frenzymadness/CVE-2021-3572

A simple repository helping to test CVE-2021-3572 in PyPA/pip

CVE-2021-3572 This repository is designed for testing CVE-2021-3572 in pypa/pip For more information, see these resources: CVE page: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-3572 PR where vulnerability was fixed: pypa/pip#9827 Issue with more discussion: pypa/pip#10042 Also, see the tags and first two commits in this repository Testing Vulnerable version of p

https://github.com/Viselabs/zammad-google-cloud-docker

Operating a Zammad Instance in the Google Cloud Abstract Simple and straightforward setup and operation using this guide Updates via swapping the Docker image Lowest possible operating costs Spot instance (Spot VMs may be terminated at any time) Default network Standard storage Time-controlled operation possible Operating in Central America (Iowa) Zammad instance on a VM

References

NVD-CWE-noinfohttps://bugzilla.redhat.com/show_bug.cgi?id=1962856https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2022:0580https://github.com/frenzymadness/CVE-2021-3572https://alas.aws.amazon.com/AL2/ALAS-2022-1742.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook