CVE-2024-6345

HIGH

setuptools < 70.0.0 - Remote Code Execution via Package Index Download Functions

Title source: llm

Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html

Exploit, Third Party Advisory

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

Patch

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0194

EPSS Percentile 77.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

pypa/pypa/setuptools unspecified - 70.0

pypi/setuptools 0 - 70.0.0PyPI

Published Jul 15, 2024

Tracked Since Feb 18, 2026