PyPI: setuptools
CVE-2024-6345
Safety vulnerability ID: SFTY-20240715-90553
Safety legacy ID: pyup.io-72236
Affected versions of Setuptools allow for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.
Overview
setuptools vulnerable to Command Injection via package URL
Advisory
Affected versions of Setuptools allow for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240715-90553/CVE-2024-6345
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345
- https://nvd.nist.gov/vuln/detail/CVE-2024-6345
- https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
- https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
- https://github.com/pypa/setuptools/pull/4332
- https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html
- https://github.com/advisories/GHSA-cx63-2mw6-8hw5
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more