5.7
CVSSv3

CVE-2021-3572

Published: 10/11/2021 Updated: 05/10/2022
CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8
CVSS v3 Base Score: 5.7 | Impact Score: 3.6 | Exploitability Score: 2.1
VMScore: 314
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Vulnerability Summary

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pypa pip

oracle agile plm 9.3.6

oracle communications cloud native core policy 1.15.0

oracle communications cloud native core network function cloud native environment 22.1.0

oracle communications cloud native core network function cloud native environment 1.10.0

oracle communications cloud native core policy 22.1.3

Vendor Advisories

A flaw was found in python-urllib3 SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate This means certificates for different servers that still validate properly with the defaul ...
A security issue has been found in pip before version 211 Maliciously formatted tags could be used to hijack a commit-based pin Using the fact that all of unicode's whitespace characters were allowed as separators - which git allows as a part of a tag name - it is possible to force a different revision to be installed if an attacker gains access ...
Synopsis Moderate: Red Hat OpenShift distributed tracing 210 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Openshit distributed tracing 21Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, ...
Synopsis Important: Release of containers for OSP 162 director operator tech preview Type/Severity Security Advisory: Important Topic Red Hat OpenStack Platform 162 (Train) director Operator containers areavailable for technology preview Description Release osp-director-operator imagesSecurity Fix(es): golang: net/http: limit growth of h ...
Synopsis Important: Red Hat OpenShift GitOps security update Type/Severity Security Advisory: Important Topic An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 12 (GitOps v122)Re ...
Synopsis Moderate: Red Hat Advanced Cluster Management 2211 security updates and bug fixes Type/Severity Security Advisory: Moderate Topic Red Hat Advanced Cluster Management for Kubernetes 2211 General Availability release images, which provide one or more container updates and bug fixesRed Hat Product Security has rated this update as ...
Synopsis Moderate: Migration Toolkit for Containers (MTC) 154 security update Type/Severity Security Advisory: Moderate Topic The Migration Toolkit for Containers (MTC) 154 is now availableRed Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score, whichg ...

Github Repositories

CVE-2021-3572 POC for older pip Instructions Run: pip3 install git+githubcom/litios/cve_2021_3572-old-pipgit@good When listing the installed modules with pip3 list, the output should be: cve-2021-3572 (12) if the package is affected, otherwise, you should get: cve-2021-3572 (10)

A simple repository helping to test CVE-2021-3572 in PyPA/pip

CVE-2021-3572 This repository is designed for testing CVE-2021-3572 in pypa/pip For more information, see these resources: CVE page: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-3572 PR where vulnerability was fixed: pypa/pip#9827 Issue with more discussion: pypa/pip#10042 Also, see the tags and first two commits in this repository Testing Vulnerable version of p

Create an image with python2, python3, R, install a set of requirements and upload it to docker hub For the previously created image Share build times 4216s 602MB How would you improve build times? Having appropriate caching mechanisms in place If we are building the ci/cd pipeline with github actions, we can use actions/cache to speed up builds by reusing cache from prev

Demo repository showcasing some of the possibilities of Aqua Trivy.

Trivy Demo Demo repository showcasing some of the possibilities of Aqua Trivy Image scanning Let's look at an example of scanning an image using Trivy: > trivy image python:34-alpine Output The output: 2023-05-06T15:29:29058Z INFO Need to update DB 2023-05-06T15:29:29058Z INFO DB Repository: ghcr

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f

PoC in GitHub 2023 CVE-2023-0045 missyes/CVE-2023-0045 es0j/CVE-2023-0045 CVE-2023-0179 TurtleARM/CVE-2023-0179-PoC CVE-2023-0297 (2023-01-13) Code Injection in GitHub repository pyload/pyload prior to 050b3dev31 bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad CVE-2023-0315 (2023-01-15) Command Injection in GitHub repository froxlor/froxlor prior to 208 mhaskar/C