Listen to this Post
How the CVE Works
The vulnerability exists in setuptools‘s package_index.py, where the `_download_url` function processes URLs to determine a download filename. The function attempts to sanitize the filename by replacing `..` with ., but this is insufficient. When `os.path.join()` is called, if the derived `name` starts with a slash or drive letter, `tmpdir` is discarded, leading to path traversal. An attacker can craft a malicious URL in a package index to write files outside the intended directory, potentially achieving remote code execution (RCE) depending on the context.
DailyCVE Form
Platform: PyPI
Version: <78.1.1
Vulnerability: Path Traversal
Severity: Critical
Date: 2024-XX-XX
What Undercode Say:
Exploitation:
- Craft a malicious package index with a URL like
file:///etc/passwd. - Trigger `easy_install` or deprecated `PackageIndex` to process the URL.
- The unsanitized `name` leads to arbitrary file write.
Protection:
1. Upgrade to `setuptools>=78.1.1`.
2. Avoid deprecated `easy_install`.
3. Use `–trusted-host` restrictions.
Detection Commands:
pip list | grep setuptools python -c "import setuptools; print(setuptools.<strong>version</strong>)"
Mitigation Code:
def safe_join(base, path):
if path.startswith(('/','\')) or '..' in path:
raise ValueError("Path traversal attempt")
return os.path.join(base, path)
Analytics:
- CVSS Score: 9.8 (Critical)
- Exploitability: High (Public PoCs)
- Affected Systems: Python environments using old
setuptools.
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
