CVE-2019-20916 vulnerability in Pypa and Other Products
Published on September 4, 2020

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

Vendor Advisory Vendor Advisory NVD

Products Associated with CVE-2019-20916

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-20916 are published in these products:

Pypa Pip

Debian Linux

OpenSuse Leap

Oracle Communications Cloud Native Core Policy

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

Python Pip

Exploit Probability

EPSS

0.62%

Percentile

69.83%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2019-20916 vulnerability in Pypa and Other ProductsPublished on September 4, 2020

Products Associated with CVE-2019-20916

Exploit Probability

CVE-2019-20916 vulnerability in Pypa and Other Products
Published on September 4, 2020