PYSEC-2023-99

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pipreqs/PYSEC-2023-99.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-99

Aliases

CVE-2023-31543
GHSA-v4f4-23wc-99mh

Published

2023-06-30T20:15:00Z

Modified

2023-11-08T04:12:30.987947Z

Summary

[none]

Details

A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server.

References

https://github.com/bndr/pipreqs/pull/364
https://gist.github.com/adeadfed/ccc834440af354a5638f889bee34bafe

Affected packages

PyPI / pipreqs

Package

Name: pipreqs; View open source insights on deps.dev
Purl: pkg:pypi/pipreqs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.3.0

Fixed

0.4.12

Affected versions

0.*

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.4.10

0.4.11

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pipreqs/PYSEC-2023-99.yaml"