CVE-2019-20916 — HIGH (7.5)

Q: How severe is CVE-2019-20916?

CVE-2019-20916 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-20916?

Check the references section above for vendor advisories and patch information. Affected products include: Pypa Pip, Opensuse Leap, Debian Debian Linux, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Policy.

Vulnerability Description

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Pypa	Pip	< 19.2
Opensuse	Leap	15.1
Debian	Debian Linux	9.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.10.0
Oracle	Communications Cloud Native Core Policy	1.15.0

Related Weaknesses (CWE)

CWE-22

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.htmlMailing ListThird Party Advisory
https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2acePatch
https://github.com/pypa/pip/compare/19.1.1...19.2Patch
https://github.com/pypa/pip/issues/6413ExploitPatch
https://lists.debian.org/debian-lts-announce/2020/09/msg00010.htmlMailing ListThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.htmlMailing ListThird Party Advisory
https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2acePatch
https://github.com/pypa/pip/compare/19.1.1...19.2Patch
https://github.com/pypa/pip/issues/6413ExploitPatch
https://lists.debian.org/debian-lts-announce/2020/09/msg00010.htmlMailing ListThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2019-20916?

CVE-2019-20916 is a vulnerability with a CVSS score of 7.5 (HIGH). The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwri...

How severe is CVE-2019-20916?

CVE-2019-20916 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-20916?

Check the references section above for vendor advisories and patch information. Affected products include: Pypa Pip, Opensuse Leap, Debian Debian Linux, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Policy.