Search for packages
| purl | pkg:deb/ubuntu/python-pip@1.0-1build1 |
| Next non-vulnerable version | 20.0.2-5ubuntu1.1 |
| Latest non-vulnerable version | 20.0.2-5ubuntu1.1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7ghb-wt6a-aaah
Aliases: CVE-2020-26137 GHSA-wqvq-5m8c-6g24 PYSEC-2020-148 |
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. |
Affected by 0 other vulnerabilities. |
|
VCID-bm2j-t7eh-aaam
Aliases: CVE-2013-1888 GHSA-4gv5-qhvr-36vv PYSEC-2013-9 |
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. |
Affected by 6 other vulnerabilities. |
|
VCID-c4ud-sqr9-aaae
Aliases: CVE-2018-18074 GHSA-x84v-xcm2-53pg PYSEC-2018-28 |
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
Affected by 2 other vulnerabilities. |
|
VCID-cw5n-r44n-aaaj
Aliases: CVE-2014-8991 GHSA-53mr-44pp-crf4 PYSEC-2014-11 |
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. |
Affected by 3 other vulnerabilities. |
|
VCID-hm6f-wu61-aaad
Aliases: CVE-2013-1629 GHSA-g3p5-fjj9-h8gj PYSEC-2013-8 |
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-txqm-xc18-aaag
Aliases: CVE-2013-5123 GHSA-c5h8-cq4v-cvfm PYSEC-2019-160 |
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-zh88-avv8-aaas
Aliases: CVE-2019-20916 GHSA-gpvv-69j7-gwj8 PYSEC-2020-173 PYSEC-2020-192 |
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|