关联漏洞
Description
A simple repository helping to test CVE-2021-3572 in PyPA/pip
介绍
# CVE-2021-3572
This repository is designed for testing CVE-2021-3572 in [pypa/pip](https://github.com/pypa/pip).
For more information, see these resources:
* CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
* PR where vulnerability was fixed: https://github.com/pypa/pip/pull/9827
* Issue with more discussion: https://github.com/pypa/pip/issues/10042
Also, see the tags and first two commits in this repository.
## Testing
Vulnerable version of pip (<21.1) installs version 9999.0 but the fixed version installs the correct version 1.0:
### Vulnerable version
```
$ pip install "pip<21.1"
Successfully installed pip-21.0.1
$ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version
$ pip list
Package Version
------------- -------
cve-2021-3572 9999.0
pip 21.0.1
setuptools 56.2.0
wheel 0.36.2
```
### Fixed version
```
$ pip install -U pip
Successfully installed pip-21.1.2
$ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version
$ pip list
Package Version
------------- -------
cve-2021-3572 1.0
pip 21.1.2
setuptools 56.2.0
wheel 0.36.2
```
文件快照
[4.0K] /data/pocs/5ef2e0b2f3e27cdaec7dd58ff5c6981759bd18c2
├── [ 19] cve_2021_3572.py
├── [1.0K] LICENSE
├── [1.2K] README.md
└── [ 377] setup.py
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。