Remote Code Execution via Download Functions in Package Index Module
A vulnerability in setuptools v69.1.1 allows remote code execution through its download functions in the package_index module. This issue was patched in version 70.0.
Available publicly on Jul 15 2024 | Available with Premium on Jun 26 2024
Remediation Steps
- Update setuptools to version 70.0 or later.
- Review and sanitize any user-controlled inputs, especially URLs, before processing them with setuptools.
- Regularly audit and update dependencies to ensure they are not vulnerable.
Patch Details
- Fixed Version: 70.0
- Patch Commit: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.