EIQ-2020-0015

ID	EIQ-2020-0015
CVE	CVE-2019-20916
Description	pip can enable directory traversal
Date	02 Dec 2020
Severity	3 - HIGH
CVSSv3 score	7.5
Status	Planned for 2.10.0
Assessment	pip versions 19.1.1 and earlier can enable directory traversal. In the `_internal/download.py` file, the `_download_http_url` function allows the `filename` directive of the `Content-Disposition` response header to hold a URL path pointing to a file as a value. In pip versions 19.1.1 and earlier, URLs in the `filename` directive of the `Content-Disposition` response header are not properly sanitized. This makes it possible to include `../` sequences in the file path. By exploiting this vulnerability, potential attackers can break out of the web server's root directory, and they can access files in other directories. They might be able to view restricted files, or to execute commands on the targeted machine. To exploit the vulnerability, a potential attacker would need to carry out a privilege escalation attack to obtain the following access rights: SSH access to the server hosting the platform. SSH access to the target platform instance.
Mitigation	To mitigate this vulnerability: Do not install any assets from unstrusted sources. The vulnerability does not affect EclecticIQ Platform: We do not install assets from untrusted sources. We do not advise our customers to perform such an action. Therefore, there is no exposure surface to exploit the vulnerability in the platform.
Affected versions	2.8.0 and earlier.
Notes	For more information, see: CVE-2019-20916 CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) GitHub issue reporting the vulnerability This section is not visible to users accessing the public docs, it's for internal reference See also: SNYK-PYTHON-PIP-609855 TP 48351 Slack convo in engineering-backend channel

< Back to all security issues and mitigation actions

In release notes 2.9.0