CVE-2024-6345

2024-07-1501:15:01

Debian Security Bug Tracker

security-tracker.debian.org

vulnerability

pypa/setuptools

remote code execution

package_index module

code injection

download functions

arbitrary commands

fixed version 70.0

unix

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

Low

JSON

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

OSVersionArchitecturePackageVersionFilename
Debian12allsetuptools<= 66.1.1-1setuptools_66.1.1-1_all.deb
Debian11allsetuptools< 52.0.0-4+deb11u1setuptools_52.0.0-4+deb11u1_all.deb
Debian999allsetuptools< 70.3.0-2setuptools_70.3.0-2_all.deb
Debian13allsetuptools< 70.3.0-2setuptools_70.3.0-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	setuptools	<= 66.1.1-1	setuptools_66.1.1-1_all.deb
Debian	11	all	setuptools	< 52.0.0-4+deb11u1	setuptools_52.0.0-4+deb11u1_all.deb
Debian	999	all	setuptools	< 70.3.0-2	setuptools_70.3.0-2_all.deb
Debian	13	all	setuptools	< 70.3.0-2	setuptools_70.3.0-2_all.deb