CVE-2021-3572

MEDIUM

pip < 21.1 - Remote Revision Manipulation via Unicode Separator Handling

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-3572. PoCs published by frenzymadness.

AI-analyzed exploit summary This repository demonstrates CVE-2021-3572, a vulnerability in pip where a maliciously crafted package version could be incorrectly installed due to improper version parsing. The PoC shows that vulnerable pip versions (<21.1) install version 9999.0 instead of the correct version 1.0.

Description

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Exploits (1)

nomisec WORKING POC 2 stars

by frenzymadness · poc

https://github.com/frenzymadness/CVE-2021-3572

View Code ZIP pw:eip

This repository demonstrates CVE-2021-3572, a vulnerability in pip where a maliciously crafted package version could be incorrectly installed due to improper version parsing. The PoC shows that vulnerable pip versions (<21.1) install version 9999.0 instead of the correct version 1.0.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: pip <21.1

No auth needed

Prerequisites: Vulnerable pip version (<21.1) installed

MITRE ATT&CK

T1195.002 - Compromise Software Supply Chain

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Issue Tracking, Patch, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1962856

Patch, Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch, Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240621-0006/

Scores

CVSS v3 5.7

EPSS 0.0024

EPSS Percentile 47.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-20

Status published

Products (7)

oracle/agile_plm 9.3.6

oracle/communications_cloud_native_core_network_function_cloud_native_environment 1.10.0

oracle/communications_cloud_native_core_network_function_cloud_native_environment 22.1.0

oracle/communications_cloud_native_core_policy 1.15.0

oracle/communications_cloud_native_core_policy 22.1.3

pypa/pip < 21.1

pypi/pip 0 - 21.1PyPI

Published Nov 10, 2021

Tracked Since Feb 18, 2026