CVE-2022-21668 — Improper Input Validation in Pipenv

CWE-20 — Improper Input Validation CWE-77 — Command Injection CWE-78 — OS Command Injection CWE-427 — Uncontrolled Search Path Element CWE-791 — Incomplete Filtering of Special Elements CWE-190 — Integer Overflow or Wraparound CWE-1284 — Improper Validation of Specified Quantity in Input5 documents4 sources

Severity

8.6HIGHNVD

EPSS

1.5%

top 18.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pypa Pipenv Fedoraproject Fedora Debian Pipenv

Timeline

PublishedJan 10

Latest updateJan 12

Description

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages4 packages

▶NVDpypa/pipenv2018.10.9 — 2022.1.8

▶PyPIpypa/pipenv2018.10.9 — 2022.1.8+1

▶CVEListV5pypa/pipenv>= 2018.10.9, < 2022.1.8

▶debiandebian/pipenv

Also affects: Fedora 34, 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Pipenv's requirements.txt parsing allows malicious index url in comments↗2022-01-12

▶

GHSA

Pipenv's requirements.txt parsing allows malicious index url in comments↗2022-01-12

▶

OSV

CVE-2022-21668: pipenv is a Python development workflow tool↗2022-01-10

▶

📋Vendor Advisories

Debian

CVE-2022-21668: pipenv - pipenv is a Python development workflow tool. Starting with version 2018.10.9 an...↗2022

▶