CVE-2021-3572

CWE-20Improper Input Validation11 documents9 sources
Severity
5.7MEDIUM
EPSS
0.2%
top 52.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Pypa PIPOracle Agile PLMOracle Communications Cloud Native Core Network Function Cloud Native Environment+1 more
Timeline
PublishedNov 10
Latest updateJul 15

Description

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages7 packages

Debianpython-pip< 20.3.4-2+3
CVEListV5python-pipfixed in python-pip 21.1
PyPIpip< 21.1
NVDpypa/pip< 21.1
NVDoracle/agile_plm9.3.6

Patches

Patch: bugzilla.redhat.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Improper Input Validation in pip2021-11-15
OSV
Improper Input Validation in pip2021-11-15
CVEList
CVE-2021-3572: A flaw was found in python-pip in the way it handled Unicode separators in git references2021-11-10
OSV
CVE-2021-3572: A flaw was found in python-pip in the way it handled Unicode separators in git references2021-11-10

📋Vendor Advisories

6
Oracle
Oracle Oracle Communications Risk Matrix: Policy (Package Installer for Python) — CVE-2021-35722022-07-15
Ubuntu
pip vulnerability2022-05-19
Oracle
Oracle Oracle Communications Risk Matrix: OC-CNE (python-pip) — CVE-2021-35722022-04-15
Microsoft
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest 2021-11-09
Red Hat
python-pip: Incorrect handling of unicode separators in git references2021-04-24