High

setuptools

Remote Code Execution via Download Functions in Package Index Module

A vulnerability in setuptools v69.1.1 allows remote code execution through its download functions in the package_index module. This issue was patched in version 70.0.

Available publicly on Jul 15 2024

8.8

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Credit:

williwollo
Threat Overview

The vulnerability in setuptools arises from the download functions in the package_index module, which are susceptible to code injection. These functions can be exploited when user-controlled inputs, such as package URLs, are processed. This can lead to remote code execution (RCE), allowing attackers to execute arbitrary commands on the affected system. The vulnerability is particularly dangerous because setuptools is widely used in various Python projects, and its functions can be imported into numerous other projects, increasing the attack surface.

Attack Scenario

An attacker could exploit this vulnerability by crafting a malicious URL containing injected code and tricking a user or an automated system into using this URL in a setuptools-based project. For example, an attacker could host a malicious package on a custom package index server and provide a URL that, when processed by setuptools, executes arbitrary commands on the victim's system. This could lead to full system compromise.

Who is affected

Developers and systems using setuptools v69.1.1 for packaging, distributing, or installing Python projects are affected. This includes any projects that import and use the vulnerable download functions from the package_index module.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.