Path to vulnerable library: /awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl,/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
CVE-2019-20916 - High Severity Vulnerability
pip-9.0.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/b6/ac/7015eb97dc749283ffdec1c3a88ddb8ae03b8fad0f0e611408f196358da3/pip-9.0.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl,/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl
Dependency Hierarchy: - :x: **pip-9.0.1-py2.py3-none-any.whl** (Vulnerable Library)
pip-19.1.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy: - :x: **pip-19.1.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Publish Date: 2020-09-04
URL: CVE-2019-20916
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916
Release Date: 2020-09-04
Fix Resolution: 19.2
Step up your Open Source Security Game with Mend here