VulnerableCode Package Details - pkg:deb/ubuntu/python-pip@8.1.2-2ubuntu0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-7ghb-wt6a-aaah Aliases: CVE-2020-26137 GHSA-wqvq-5m8c-6g24 PYSEC-2020-148	urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.	20.0.2-5ubuntu1.1 Affected by 0 other vulnerabilities.
VCID-c4ud-sqr9-aaae Aliases: CVE-2018-18074 GHSA-x84v-xcm2-53pg PYSEC-2018-28	The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.	9.0.1-2.3~ubuntu1.18.04.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zh88-avv8-aaas Aliases: CVE-2019-20916 GHSA-gpvv-69j7-gwj8 PYSEC-2020-173 PYSEC-2020-192	The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.	20.0.2-5ubuntu1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7ghb-wt6a-aaah
Aliases:
CVE-2020-26137
GHSA-wqvq-5m8c-6g24
PYSEC-2020-148

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

20.0.2-5ubuntu1.1
Affected by 0 other vulnerabilities.

VCID-c4ud-sqr9-aaae
Aliases:
CVE-2018-18074
GHSA-x84v-xcm2-53pg
PYSEC-2018-28

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

9.0.1-2.3~ubuntu1.18.04.2
Affected by 2 other vulnerabilities.

VCID-zh88-avv8-aaas
Aliases:
CVE-2019-20916
GHSA-gpvv-69j7-gwj8
PYSEC-2020-173
PYSEC-2020-192

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

20.0.2-5ubuntu1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Next non-vulnerable version	20.0.2-5ubuntu1.1
Latest non-vulnerable version	20.0.2-5ubuntu1.1
Risk	4.0