CVE-2023-31543: pipreqs vulnerable to Dependency Confusion
(updated )
A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server.
References
- gist.github.com/adeadfed/ccc834440af354a5638f889bee34bafe
- github.com/advisories/GHSA-v4f4-23wc-99mh
- github.com/bndr/pipreqs
- github.com/bndr/pipreqs/blob/master/pipreqs/pipreqs.py
- github.com/bndr/pipreqs/commit/3f5964fcb90ec6eb6df46d78e651a1b73538d0ba
- github.com/bndr/pipreqs/pull/364
- github.com/pypa/advisory-database/tree/main/vulns/pipreqs/PYSEC-2023-99.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-31543
Detect and mitigate CVE-2023-31543 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →