EIQ-2020-0015#

ID

EIQ-2020-0015

CVE

CVE-2019-20916

Description

pip can enable directory traversal

Date

02 Dec 2020

Severity

3 - HIGH

CVSSv3 score

7.5

Status

⏲ Planned for 2.10.0

Assessment

pip versions 19.1.1 and earlier can enable directory traversal.

In the _internal/download.py file, the _download_http_url function allows the filename directive of the Content-Disposition response header to hold a URL path pointing to a file as a value.

In pip versions 19.1.1 and earlier, URLs in the filename directive of the Content-Disposition response header are not properly sanitized.

This makes it possible to include ../ sequences in the file path.

By exploiting this vulnerability, potential attackers can break out of the web server’s root directory, and they can access files in other directories.

They might be able to view restricted files, or to execute commands on the targeted machine.

To exploit the vulnerability, a potential attacker would need to carry out a privilege escalation attack to obtain the following access rights:

  • SSH access to the server hosting the platform.

  • SSH access to the target platform instance.

Mitigation

To mitigate this vulnerability:

  • Do not install any assets from unstrusted sources.

Note

The vulnerability does not affect EclecticIQ Platform:

  • We do not install assets from untrusted sources.

  • We do not advise our customers to perform such an action.

Therefore, there is no exposure surface to exploit the vulnerability in the platform.

Affected versions

2.8.0 and earlier.

Notes

For more information, see: