CVE-2019-20916

HIGH

pip < 19.2 - Directory Traversal via Content-Disposition Header

Title source: llm

Description

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

References (8)

Core 8

Core References

Exploit, Patch x_refsource_misc

https://github.com/pypa/pip/issues/6413

Patch x_refsource_misc

https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/pypa/pip/compare/19.1.1...19.2

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5

EPSS 0.0062

EPSS Percentile 70.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (8)

debian/debian_linux 9.0

opensuse/leap 15.1

opensuse/leap 15.2

oracle/communications_cloud_native_core_network_function_cloud_native_environment 1.10.0

oracle/communications_cloud_native_core_network_function_cloud_native_environment 22.1.0

oracle/communications_cloud_native_core_policy 1.15.0

pypa/pip < 19.2

pypi/pip 0 - 19.2PyPI

Published Sep 04, 2020

Tracked Since Feb 18, 2026