Published: 10/01/2022 Updated: 25/04/2022

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.6 | Impact Score: 6 | Exploitability Score: 1.8

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an malicious user to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pypa pipenv
fedoraproject fedora 34
fedoraproject fedora 35
fedoraproject fedora 36

CVE-2022-21668 \n 反向辣鸡数据投放 CVE订阅工具利用教程 Exploit POC RCE LOG4j 反序列化 JNDI Payload

hello_world_python This is a demonstration of the pipenv vulnerability CVE-2022-21668 cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2022-21668 DO NOT USE THIS REPOSITORY It is only for example use

CVE-2022-21668-Pipenv-RCE-vulnerability

CVE-2022-2166 Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 400 authentication complexity vector not available not available not available confidentiality integrity availability not available not available not available CVSS Score: not available References huntrdev/bounties/2f96f990-01

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f

CWE-20 CWE-78 CWE-77 CWE-427 CWE-791 https://github.com/pypa/pipenv/releases/tag/v2022.1.8 https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/https://github.com/AlphabugX/CVE-2022-21668 https://nvd.nist.gov

CVE-2022-21668

Vulnerability Summary

Most Upvoted Vulmon Research Post

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect