CVE-2024-6345

EPSS 4.25%
Published 15.07.2024 01:15:01
Last modified 21.11.2024 09:49:28
Source security@huntr.dev
Teams watchlist Login
Open Login

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Vendorpython

≫

Product setuptools

Default Statusunknown

Version < 70.0

Version 69.1.1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.25%	0.884

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security@huntr.dev	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

https://nvd.nist.gov/vuln/detail/CVE-2024-6345

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6345

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6345

EUVD