Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/pip@1.1
Typepypi
Namespace
Namepip
Version1.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version23.3
Latest_non_vulnerable_version26.0
Affected_by_vulnerabilities
0
url VCID-1as6-9kq7-d7gy
vulnerability_id VCID-1as6-9kq7-d7gy
summary 
When installing a package from a Mercurial VCS URL  (ie "pip install 
hg+...") with pip prior to v23.3, the specified Mercurial revision could
 be used to inject arbitrary configuration options to the "hg clone" 
call (ie "--config"). Controlling the Mercurial configuration can modify
 how and which repository is installed. This vulnerability does not 
affect users who aren't installing from Mercurial.
references
0
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
1
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
url https://github.com/pypa/pip
2
reference_url https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
reference_id
reference_type
scores
url https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
3
reference_url https://github.com/pypa/pip/pull/12306
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://github.com/pypa/pip/pull/12306
4
reference_url https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
5
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
10
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
reference_id
reference_type
scores
url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
11
reference_url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5752
reference_id CVE-2023-5752
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-5752
13
reference_url https://github.com/advisories/GHSA-mq26-g339-26xf
reference_id GHSA-mq26-g339-26xf
reference_type
scores
url https://github.com/advisories/GHSA-mq26-g339-26xf
fixed_packages
0
url pkg:pypi/pip@23.3
purl pkg:pypi/pip@23.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@23.3
aliases CVE-2023-5752, GHSA-mq26-g339-26xf, PYSEC-2023-228
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1as6-9kq7-d7gy
1
url VCID-g99f-q7vc-gyeg
vulnerability_id VCID-g99f-q7vc-gyeg
summary The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
2
reference_url https://github.com/advisories/GHSA-gpvv-69j7-gwj8
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-gpvv-69j7-gwj8
3
reference_url https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
reference_id
reference_type
scores
url https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
4
reference_url https://github.com/pypa/pip/compare/19.1.1...19.2
reference_id
reference_type
scores
url https://github.com/pypa/pip/compare/19.1.1...19.2
5
reference_url https://github.com/pypa/pip/issues/6413
reference_id
reference_type
scores
url https://github.com/pypa/pip/issues/6413
6
reference_url https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
fixed_packages
0
url pkg:pypi/pip@19.2
purl pkg:pypi/pip@19.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1as6-9kq7-d7gy
1
vulnerability VCID-mh4d-1b2e-bqem
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@19.2
aliases CVE-2019-20916, GHSA-gpvv-69j7-gwj8, PYSEC-2020-173
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g99f-q7vc-gyeg
2
url VCID-gj8g-9yaz-nqbc
vulnerability_id VCID-gj8g-9yaz-nqbc
summary pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105952.html
reference_id
reference_type
scores
url http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105952.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105989.html
reference_id
reference_type
scores
url http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105989.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106311.html
reference_id
reference_type
scores
url http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106311.html
3
reference_url https://github.com/advisories/GHSA-4gv5-qhvr-36vv
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-4gv5-qhvr-36vv
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-9.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-9.yaml
5
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
url https://github.com/pypa/pip
6
reference_url https://github.com/pypa/pip/issues/725
reference_id
reference_type
scores
url https://github.com/pypa/pip/issues/725
7
reference_url https://github.com/pypa/pip/pull/734/files
reference_id
reference_type
scores
url https://github.com/pypa/pip/pull/734/files
8
reference_url https://github.com/pypa/pip/pull/780/files
reference_id
reference_type
scores
url https://github.com/pypa/pip/pull/780/files
9
reference_url http://www.openwall.com/lists/oss-security/2013/03/22/10
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2013/03/22/10
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1888
reference_id CVE-2013-1888
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2013-1888
fixed_packages
0
url pkg:pypi/pip@1.3
purl pkg:pypi/pip@1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1as6-9kq7-d7gy
1
vulnerability VCID-3x2g-szs1-2ueh
2
vulnerability VCID-g99f-q7vc-gyeg
3
vulnerability VCID-mh4d-1b2e-bqem
4
vulnerability VCID-vqxe-ay7u-yfgj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@1.3
aliases CVE-2013-1888, GHSA-4gv5-qhvr-36vv, PYSEC-2013-9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gj8g-9yaz-nqbc
3
url VCID-mh4d-1b2e-bqem
vulnerability_id VCID-mh4d-1b2e-bqem
summary silent downgrade
references
0
reference_url https://access.redhat.com/errata/RHSA-2021:3254
reference_id
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3254
1
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1962856
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1962856
2
reference_url https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
4
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
url https://github.com/pypa/pip
5
reference_url https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
reference_id
reference_type
scores
url https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
6
reference_url https://github.com/pypa/pip/pull/9827
reference_id
reference_type
scores
url https://github.com/pypa/pip/pull/9827
7
reference_url https://packetstormsecurity.com/files/162712/USN-4961-1.txt
reference_id
reference_type
scores
url https://packetstormsecurity.com/files/162712/USN-4961-1.txt
8
reference_url https://security.netapp.com/advisory/ntap-20240621-0006
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240621-0006
9
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuapr2022.html
10
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujul2022.html
11
reference_url https://security.archlinux.org/AVG-2036
reference_id AVG-2036
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2036
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3572
reference_id CVE-2021-3572
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-3572
fixed_packages
0
url pkg:pypi/pip@21.1
purl pkg:pypi/pip@21.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1as6-9kq7-d7gy
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@21.1
aliases CVE-2021-3572, GHSA-5xp3-jfq3-5q8x, PYSEC-2021-437
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mh4d-1b2e-bqem
4
url VCID-nuzx-bhxz-ukdr
vulnerability_id VCID-nuzx-bhxz-ukdr
summary pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.
references
0
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=968059
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=968059
1
reference_url https://github.com/advisories/GHSA-g3p5-fjj9-h8gj
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-g3p5-fjj9-h8gj
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-8.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-8.yaml
3
reference_url https://github.com/pypa/pip
reference_id
reference_type
scores
url https://github.com/pypa/pip
4
reference_url https://github.com/pypa/pip/issues/425
reference_id
reference_type
scores
url https://github.com/pypa/pip/issues/425
5
reference_url https://github.com/pypa/pip/pull/791/files
reference_id
reference_type
scores
url https://github.com/pypa/pip/pull/791/files
6
reference_url http://www.pip-installer.org/en/latest/installing.html
reference_id
reference_type
scores
url http://www.pip-installer.org/en/latest/installing.html
7
reference_url http://www.pip-installer.org/en/latest/news.html#changelog
reference_id
reference_type
scores
url http://www.pip-installer.org/en/latest/news.html#changelog
8
reference_url http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
reference_id
reference_type
scores
url http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1629
reference_id CVE-2013-1629
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2013-1629
fixed_packages
0
url pkg:pypi/pip@1.3
purl pkg:pypi/pip@1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1as6-9kq7-d7gy
1
vulnerability VCID-3x2g-szs1-2ueh
2
vulnerability VCID-g99f-q7vc-gyeg
3
vulnerability VCID-mh4d-1b2e-bqem
4
vulnerability VCID-vqxe-ay7u-yfgj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@1.3
aliases CVE-2013-1629, GHSA-g3p5-fjj9-h8gj, PYSEC-2013-8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nuzx-bhxz-ukdr
5
url VCID-vqxe-ay7u-yfgj
vulnerability_id VCID-vqxe-ay7u-yfgj
summary The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html
reference_id
reference_type
scores
url http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html
reference_id
reference_type
scores
url http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123
3
reference_url https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123
reference_id
reference_type
scores
url https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123
4
reference_url https://github.com/advisories/GHSA-c5h8-cq4v-cvfm
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-c5h8-cq4v-cvfm
5
reference_url https://security-tracker.debian.org/tracker/CVE-2013-5123
reference_id
reference_type
scores
url https://security-tracker.debian.org/tracker/CVE-2013-5123
6
reference_url http://www.openwall.com/lists/oss-security/2013/08/21/17
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2013/08/21/17
7
reference_url http://www.openwall.com/lists/oss-security/2013/08/21/18
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2013/08/21/18
8
reference_url http://www.securityfocus.com/bid/77520
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/77520
fixed_packages
0
url pkg:pypi/pip@1.5
purl pkg:pypi/pip@1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1as6-9kq7-d7gy
1
vulnerability VCID-3x2g-szs1-2ueh
2
vulnerability VCID-g99f-q7vc-gyeg
3
vulnerability VCID-mh4d-1b2e-bqem
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pip@1.5
aliases CVE-2013-5123, GHSA-c5h8-cq4v-cvfm, PYSEC-2019-160
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vqxe-ay7u-yfgj
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/pip@1.1