CVE-2024-6345Code Injection in Setuptools

CWE-94Code Injection12 documents11 sources
Severity
8.8HIGHNVD
EPSS
5.7%
top 9.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
15
Pypa SetuptoolsPython SetuptoolsDebian Setuptools+12 more
Timeline
PublishedJul 15
Latest updateOct 15

Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages16 packages

CVEListV5pypa/pypa_setuptoolsunspecified70.0
PyPIpython/setuptools< 70.0.0
debiandebian/setuptools< setuptools 66.1.1-1+deb12u1 (bookworm)
Debianpython/setuptools< 52.0.0-4+deb11u1+3

🔴Vulnerability Details

4
Kernel
drm/ci: Upgrade setuptools requirement to 70.0.02024-07-16
OSV
setuptools vulnerable to Command Injection via package URL2024-07-15
GHSA
setuptools vulnerable to Command Injection via package URL2024-07-15
OSV
CVE-2024-6345: A vulnerability in the package_index module of pypa/setuptools versions up to 692024-07-15

📋Vendor Advisories

6
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (Jython) — CVE-2024-63452024-10-15
Ubuntu
Setuptools vulnerability2024-09-12
Red Hat
pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools2024-07-15
Microsoft
Remote Code Execution in pypa/setuptools2024-07-09
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS2024-04-10

💬Community

1
Bugzilla
CVE-2024-26886 kernel: Bluetooth: af_bluetooth: Fix deadlock2024-04-17