ALT-PU-2021-1772-2 — python3-module-pip

BDU:2023-03310

MEDIUM5.7

Уязвимость модуля pip языка программирования Python, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю оказать воздействие на целостность данных

Published: 2023-06-22Modified: 2024-11-11

CVSS 3.xMEDIUM 5.7

CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:C/A:N

References

CVE-2021-3572

BDU:2025-04191

MEDIUM6.5

Уязвимость HTTP библиотеки Urllib3 языка программирования Python, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

Published: 2025-04-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2021-28363

CVE-2021-28363

MEDIUM6.5

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Published: 2021-03-15Modified: 2024-11-21

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

CVE-2021-3572

MEDIUM5.7

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Published: 2021-11-10Modified: 2024-11-21

CVSS 2.0LOW 3.5

CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS 3.xMEDIUM 5.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

References

GHSA-5phf-pp7p-vc2r

MEDIUM6.9

Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection

Published: 2021-03-19Modified: 2024-11-19

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

GHSA-5xp3-jfq3-5q8x

HIGH7.1

Improper Input Validation in pip

Published: 2021-11-15Modified: 2024-10-12

CVSS 3.xHIGH 7.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

CVSS 4.0HIGH 7.1

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

Package update python3-module-pip in branch sisyphus

Closed issues (6)

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection

Improper Input Validation in pip