Vulnerability in Python-Pip Affects Data Integrity for Remote Git Operations
CVE-2021-3572

5.7MEDIUM

Key Information:

Vendor: Pypa
Status: Python-pip
Vendor: CVE Published:; 10 November 2021

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-3572?

A vulnerability exists in python-pip that improperly handles Unicode separators in git references. This flaw allows remote attackers to exploit the issue, potentially leading to the installation of unintended revisions from a repository. The main threat associated with this vulnerability is compromised data integrity. Users are advised to upgrade to python-pip version 21.1 or later to mitigate this risk.

Affected Version(s)

python-pip fixed in python-pip 21.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-3572
Created by frenzymadness

References

https://bugzilla.redhat.com/show_bug.cgi?id=1962856

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2021
🟡
Public PoC available
Jun 7, 2021
👾
Exploit known to exist
Jun 7, 2021
Vulnerability Reserved
Jun 1, 2021

Pypa