Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-a1m5-12w5-sffd
Vulnerability ID VCID-a1m5-12w5-sffd
Aliases PYSEC-2020-192
Summary The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Status Published
Exploitability 0.5
Weighted Severity 0.0
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
There are no known severity scores.
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
https://github.com/pypa/pip/compare/19.1.1...19.2
https://github.com/pypa/pip/issues/6413
https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-04-01T15:02:13.262971+00:00 PyPI Importer Import https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.0.0