VulnerableCode Package Details - pkg:deb/ubuntu/python-pip@1.5.6-4

Search for packages

Vulnerability	Summary	Fixed by
VCID-7ghb-wt6a-aaah Aliases: CVE-2020-26137 GHSA-wqvq-5m8c-6g24 PYSEC-2020-148	urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.	20.0.2-5ubuntu1.1 Affected by 0 other vulnerabilities.
VCID-c4ud-sqr9-aaae Aliases: CVE-2018-18074 GHSA-x84v-xcm2-53pg PYSEC-2018-28	The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.	9.0.1-2.3~ubuntu1.18.04.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-cw5n-r44n-aaaj Aliases: CVE-2014-8991 GHSA-53mr-44pp-crf4 PYSEC-2014-11	pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.	8.1.1-2ubuntu0.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hm6f-wu61-aaad Aliases: CVE-2013-1629 GHSA-g3p5-fjj9-h8gj PYSEC-2013-8	pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.	8.1.1-2ubuntu0.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-txqm-xc18-aaag Aliases: CVE-2013-5123 GHSA-c5h8-cq4v-cvfm PYSEC-2019-160	The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.	8.1.1-2ubuntu0.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zh88-avv8-aaas Aliases: CVE-2019-20916 GHSA-gpvv-69j7-gwj8 PYSEC-2020-173 PYSEC-2020-192	The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.	20.0.2-5ubuntu1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7ghb-wt6a-aaah
Aliases:
CVE-2020-26137
GHSA-wqvq-5m8c-6g24
PYSEC-2020-148

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

20.0.2-5ubuntu1.1
Affected by 0 other vulnerabilities.

VCID-c4ud-sqr9-aaae
Aliases:
CVE-2018-18074
GHSA-x84v-xcm2-53pg
PYSEC-2018-28

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

9.0.1-2.3~ubuntu1.18.04.2
Affected by 2 other vulnerabilities.

VCID-cw5n-r44n-aaaj
Aliases:
CVE-2014-8991
GHSA-53mr-44pp-crf4
PYSEC-2014-11

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

8.1.1-2ubuntu0.4
Affected by 3 other vulnerabilities.

VCID-hm6f-wu61-aaad
Aliases:
CVE-2013-1629
GHSA-g3p5-fjj9-h8gj
PYSEC-2013-8

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.

8.1.1-2ubuntu0.4
Affected by 3 other vulnerabilities.

VCID-txqm-xc18-aaag
Aliases:
CVE-2013-5123
GHSA-c5h8-cq4v-cvfm
PYSEC-2019-160

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

8.1.1-2ubuntu0.4
Affected by 3 other vulnerabilities.

VCID-zh88-avv8-aaas
Aliases:
CVE-2019-20916
GHSA-gpvv-69j7-gwj8
PYSEC-2020-173
PYSEC-2020-192

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

20.0.2-5ubuntu1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Next non-vulnerable version	20.0.2-5ubuntu1.1
Latest non-vulnerable version	20.0.2-5ubuntu1.1
Risk	10.0