Back to search
CVE-2019-20916
Published: Sep 4, 2020
Modified: Aug 5, 2024
PUBLISHED
Description
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/pypa/pip/issues/6413
x_refsource_MISC
https://github.com/pypa/pip/compare/19.1.1...19.2
x_refsource_MISC
[debian-lts-announce] 20200911 [SECURITY] [DLA 2370-1] python-pip security update
mailing-list
x_refsource_MLIST
openSUSE-SU-2020:1598
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2020:1613
vendor-advisory
x_refsource_SUSE
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2022.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now