Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pipenv's requirements.txt parsing allows malicious index url in comments
Vulnerability Description
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
Pipenv 命令注入漏洞
Vulnerability Description
Pipenv是一个工具,旨在将所有打包世界中最好的(打包程序、作曲家、npm、货物、纱线等)带到 Python 世界。 pipenv 存在命令注入漏洞,该漏洞源于允许攻击者在 requirements.txt 文件中的任何位置的注释中插入特制字符串,这将导致使用 pipenv 的受害者安装需求文件以从攻击者控制的包索引服务器下载依赖项。通过在恶意索引服务器提供的包中嵌入恶意代码,攻击者可以在受害者的系统上触发任意远程代码执行 (RCE)。
CVSS Information
N/A
Vulnerability Type
N/A