CVE-2019-20916

CVE Details

Release Date:2020-09-04

Description


The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

See more information about CVE-2019-20916 from MITRE CVE dictionary and NIST NVD


CVSS v3.0 metrics


NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score: 7.5 Base Metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Access Vector: Network Attack Complexity: Low
Privileges Required: None User Interaction: None
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: High Availability Impact: None

Errata information


PlatformErrataRelease Date
Oracle Linux version 7 (python-pip)ELSA-2022-92042022-03-10
Oracle Linux version 8 (Cython)ELSA-2020-46542020-11-10
Oracle Linux version 8 (PyYAML)ELSA-2020-46542020-11-10
Oracle Linux version 8 (babel)ELSA-2020-46542020-11-10
Oracle Linux version 8 (numpy)ELSA-2020-46542020-11-10
Oracle Linux version 8 (pytest)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-PyMySQL)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-attrs)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-backports)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-backports-ssl_match_hostname)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-chardet)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-coverage)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-dns)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-docs)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-docutils)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-funcsigs)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-idna)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-ipaddress)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-jinja2)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-lxml)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-markupsafe)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-mock)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-nose)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-pip)ELSA-2020-44322020-11-10
Oracle Linux version 8 (python-pluggy)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-psycopg2)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-py)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-pygments)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-pymongo)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-pysocks)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-pytest-mock)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-requests)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-setuptools_scm)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-six)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-sqlalchemy)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-urllib3)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-virtualenv)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python-wheel)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python2)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python2-pip)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python2-rpm-macros)ELSA-2020-46542020-11-10
Oracle Linux version 8 (python2-setuptools)ELSA-2020-46542020-11-10
Oracle Linux version 8 (pytz)ELSA-2020-46542020-11-10
Oracle Linux version 8 (scipy)ELSA-2020-46542020-11-10



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete