CVE-2024-6345

Name
CVE-2024-6345
Description
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

Match rules

CPE URI Source package Min version Max version
pypa/setuptools >= unspecified < 70.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-setuptools 3.18-main 70.3.0-r0 psykose <alice@ayaya.dev> fixed
py3-setuptools 3.17-main 70.3.0-r0 psykose <alice@ayaya.dev> fixed
py3-setuptools 3.19-main 70.3.0-r0 Peter Shkenev <santurysim@gmail.com> fixed
py3-setuptools 3.20-main 70.3.0-r0 Peter Shkenev <santurysim@gmail.com> fixed