Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-75s4-h132-6fe1
Vulnerability ID VCID-75s4-h132-6fe1
Aliases CVE-2021-3572
GHSA-5xp3-jfq3-5q8x
PYSEC-2021-437
Summary A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 5.7 https://access.redhat.com/errata/RHSA-2021:3254
cvssv4 7.1 https://access.redhat.com/errata/RHSA-2021:3254
generic_textual HIGH https://access.redhat.com/errata/RHSA-2021:3254
cvssv3 4.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3572.json
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2021-3572
cvssv3.1 5.7 https://bugzilla.redhat.com/show_bug.cgi?id=1962856
cvssv4 7.1 https://bugzilla.redhat.com/show_bug.cgi?id=1962856
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=1962856
cvssv3.1 4.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.7 https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
cvssv4 7.1 https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
generic_textual HIGH https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
cvssv3.1 5.7 https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
cvssv4 7.1 https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
cvssv3.1 5.7 https://github.com/pypa/pip
cvssv4 7.1 https://github.com/pypa/pip
generic_textual HIGH https://github.com/pypa/pip
cvssv3.1 5.7 https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
cvssv4 7.1 https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
generic_textual HIGH https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
cvssv3.1 5.7 https://github.com/pypa/pip/pull/9827
cvssv4 7.1 https://github.com/pypa/pip/pull/9827
generic_textual HIGH https://github.com/pypa/pip/pull/9827
cvssv3.1 5.7 https://nvd.nist.gov/vuln/detail/CVE-2021-3572
cvssv4 7.1 https://nvd.nist.gov/vuln/detail/CVE-2021-3572
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-3572
cvssv3.1 5.7 https://packetstormsecurity.com/files/162712/USN-4961-1.txt
cvssv4 7.1 https://packetstormsecurity.com/files/162712/USN-4961-1.txt
generic_textual HIGH https://packetstormsecurity.com/files/162712/USN-4961-1.txt
archlinux Medium https://security.archlinux.org/AVG-2036
cvssv3.1 5.7 https://security.netapp.com/advisory/ntap-20240621-0006
cvssv4 7.1 https://security.netapp.com/advisory/ntap-20240621-0006
generic_textual HIGH https://security.netapp.com/advisory/ntap-20240621-0006
cvssv3.1 5.7 https://www.oracle.com/security-alerts/cpuapr2022.html
cvssv4 7.1 https://www.oracle.com/security-alerts/cpuapr2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuapr2022.html
cvssv3.1 5.7 https://www.oracle.com/security-alerts/cpujul2022.html
cvssv4 7.1 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2021:3254
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3572.json
https://api.first.org/data/v1/epss?cve=CVE-2021-3572
https://bugzilla.redhat.com/show_bug.cgi?id=1962856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
https://github.com/pypa/pip
https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
https://github.com/pypa/pip/pull/9827
https://packetstormsecurity.com/files/162712/USN-4961-1.txt
https://security.netapp.com/advisory/ntap-20240621-0006
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
AVG-2036 https://security.archlinux.org/AVG-2036
CVE-2021-3572 https://nvd.nist.gov/vuln/detail/CVE-2021-3572
RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
RHSA-2021:4455 https://access.redhat.com/errata/RHSA-2021:4455
USN-USN-4961-2 https://usn.ubuntu.com/USN-4961-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/errata/RHSA-2021:3254
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://access.redhat.com/errata/RHSA-2021:3254
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3572.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=1962856
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=1962856
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/advisories/GHSA-5xp3-jfq3-5q8x
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pypa/pip
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/pip
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/pypa/pip/pull/9827
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/pip/pull/9827
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-3572
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-3572
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://packetstormsecurity.com/files/162712/USN-4961-1.txt
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://packetstormsecurity.com/files/162712/USN-4961-1.txt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20240621-0006
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://security.netapp.com/advisory/ntap-20240621-0006
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.46993
EPSS Score 0.0024
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:46:59.197764+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2021-437.yaml 38.0.0