CVE-2019-20916

Published: 04 September 2020

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
python-pip
Launchpad, Ubuntu, Debian
Upstream
Released (20.0.2-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(20.0.2-5ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (9.0.1-2.3~ubuntu1.18.04.4)
Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist