setuptools <=69.1.1 RCE via download URL injection
CVE-2024-6345 Published on July 15, 2024
Remote Code Execution in pypa/setuptools
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2024-6345 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2024-6345
stack.watch emails you whenever new vulnerabilities are published in Oracle or Python Setuptools. Just hit a watch button to start following.
Affected Versions
pypa/setuptools:- Version unspecified and below 70.0 is affected.
- Version 69.1.1 and below 70.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.