CVE-2024-6345 Remote Code Execution in pypa/setuptools

2024-07-1500:00:14

CWE-94

@huntr_ai

github.com

cve-2024-6345

pypa/setuptools

package_index

remote code execution

download functions

code injection

version 69.1.1

version 70.0

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:python:setuptools:69.1.1:*:*:*:*:*:*:*"
    ],
    "vendor": "python",
    "product": "setuptools",
    "versions": [
      {
        "status": "affected",
        "version": "69.1.1",
        "lessThan": "70.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]