CVE-2019-20916
published 2020-09-04CVE-2019-20916: The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
3.03%
85.8th percentile
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-pip | < python-pip 20.0.2-1 (bookworm) | python-pip 20.0.2-1 (bookworm) |
| msrc | cbl2_python-virtualenv_20.26.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_python-pip_19.2-1_on_cbl_mariner_1.0 | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | — | — |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
| paloalto | pan-os | — | — |
| pypa | pip | < 19.2 | 19.2 |
| pypa | pip | >= 0 < 19.2 | 19.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Path Traversal in pip
osv·2021-06-09
CVE-2019-20916 [HIGH] Path Traversal in pip
Path Traversal in pip
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.
GHSA
Path Traversal in pip
ghsa·2021-06-09
CVE-2019-20916 [HIGH] CWE-22 Path Traversal in pip
Path Traversal in pip
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.
OSV
python-pip vulnerability
osv·2020-10-22·CVSS 7.5
CVE-2019-20916 [HIGH] python-pip vulnerability
python-pip vulnerability
It was discovered that pip did not properly sanitize the filename during
pip install. A remote attacker could possible use this issue to read and
write arbitrary files on the host filesystem as root, resulting in a
directory traversal attack. (CVE-2019-20916)
OSV
CVE-2019-20916: The pip package before 19
osv·2020-09-04·CVSS 7.5
CVE-2019-20916 [HIGH] CVE-2019-20916: The pip package before 19
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-04-10·CVSS 9.8
CVE-2015-5739 [CRITICAL] PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2015-5739 This CVE is fixed in PAN-OS 11.0.4, and all later PAN-OS versions. CVE-2016-10228 This CVE is fixed in PAN-OS 11.1.3, and all later PAN-OS versions. CVE-2017-8923 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2017-9120 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2018-25009 This CVE is fixed in PAN-OS 10.2.8, 11.0.4, 11.1.3, and all later PAN-OS versions. CVE-2
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Jython) — CVE-2019-20916
vendor_oracle·2023-04-15·CVSS 7.5
CVE-2019-20916 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Jython) — CVE-2019-20916
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Jython) vulnerability
CVE: CVE-2019-20916
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Oracle
Oracle Oracle Communications Risk Matrix: CNE (Package Installer for Python) — CVE-2019-20916
vendor_oracle·2022-07-15·CVSS 7.5
CVE-2019-20916 [HIGH] Oracle Oracle Communications Risk Matrix: CNE (Package Installer for Python) — CVE-2019-20916
Oracle Oracle Communications Risk Matrix: CNE (Package Installer for Python) vulnerability
CVE: CVE-2019-20916
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2022 (JUL 2022)
Ubuntu
pip vulnerability
vendor_ubuntu·2020-10-22·CVSS 7.5
CVE-2019-20916 [HIGH] pip vulnerability
Title: pip vulnerability
Summary: pip could be made to overwrite files as the administrator.
It was discovered that pip did not properly sanitize the filename during
pip install. A remote attacker could possible use this issue to read and
write arbitrary files on the host filesystem as root, resulting in a
directory traversal attack. (CVE-2019-20916)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command because a Content-Disposition header can have ../ in a filename as demonstrated by overwriti
vendor_msrc·2020-09-08·CVSS 7.5
CVE-2019-20916 [HIGH] CWE-22 The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command because a Content-Disposition header can have ../ in a filename as demonstrated by overwriti
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command because a Content-Disposition header can have ../ in a filename as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this
Red Hat
python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py
vendor_redhat·2019-04-16·CVSS 7.5
CVE-2019-20916 [HIGH] CWE-22 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py
python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an attacker who controls a malicious server to execute arbitrary code on the system.
Statement: This iss
Debian
CVE-2019-20916: python-pip - The pip package before 19.2 for Python allows Directory Traversal when a URL is ...
vendor_debian·2019·CVSS 7.5
CVE-2019-20916 [HIGH] CVE-2019-20916: python-pip - The pip package before 19.2 for Python allows Directory Traversal when a URL is ...
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Scope: local
bookworm: resolved (fixed in 20.0.2-1)
bullseye: resolved (fixed in 20.0.2-1)
forky: resolved (fixed in 20.0.2-1)
sid: resolved (fixed in 20.0.2-1)
trixie: resolved (fixed in 20.0.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py
bugzilla·2020-08-11·CVSS 7.5
CVE-2019-20916 [HIGH] CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py
CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py
A flaw was found in python-pip. Installing remote packages is vulnerable to directory traversal via Content-Disposition header by a malicious server.
Upstream issue:
https://github.com/pypa/pip/issues/6413
Discussion:
Created python-pip tracking bugs for this issue:
Affects: epel-6 [bug 1868136]
Created python-pip-epel tracking bugs for this issue:
Affects: epel-7 [bug 1868137]
Created python-virtualenv tracking bugs for this issue:
Affects: epel-6 [bug 1868138]
---
Fixed upstream in version 19.2:
"""
Prevent pip install from permitting directory traversal if e.g. a malicious server sends a Content-Disposition header with a filename containing ../ or ..\\. (#6413)
Bugzilla
CVE-2019-20916 python-virtualenv: python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-6]
bugzilla·2020-08-11·CVSS 7.5
CVE-2019-20916 [HIGH] CVE-2019-20916 python-virtualenv: python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-6]
CVE-2019-20916 python-virtualenv: python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mes
Bugzilla
CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-6]
bugzilla·2020-08-11·CVSS 7.5
CVE-2019-20916 [HIGH] CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-6]
CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Bugzilla
CVE-2019-20916 python-pip-epel: python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-7]
bugzilla·2020-08-11·CVSS 7.5
CVE-2019-20916 [HIGH] CVE-2019-20916 python-pip-epel: python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-7]
CVE-2019-20916 python-pip-epel: python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
CWE
Relative Path Traversal
mitre_cwe
CWE-23 Relative Path Traversal
CWE-23: Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Confidentiality, Availability. Impact: Execute Unauthorized Code or Commands. The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
Scope: Integrity. Impact: Modify Files or Directories. The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able
CWE
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
mitre_cwe
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is inte
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.htmlhttps://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2acehttps://github.com/pypa/pip/compare/19.1.1...19.2https://github.com/pypa/pip/issues/6413https://lists.debian.org/debian-lts-announce/2020/09/msg00010.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.htmlhttps://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2acehttps://github.com/pypa/pip/compare/19.1.1...19.2https://github.com/pypa/pip/issues/6413https://lists.debian.org/debian-lts-announce/2020/09/msg00010.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html
2020-09-04
Published