Platform
python
Component
setuptools
Fixed in
70.0
70.0.0
CVE-2024-6345 is a critical Command Injection vulnerability discovered in the package_index module of setuptools, a Python package management tool. This flaw allows attackers to execute arbitrary commands on a system by exploiting vulnerabilities in the package download functions. The vulnerability impacts versions of setuptools up to 69.1.1, and a fix is available in version 70.0.0.
The vulnerability lies within setuptools' download functions, which are responsible for retrieving packages from URLs. If an attacker can control the URL used by these functions—either directly through malicious package index servers or by crafting a malicious package URL—they can inject arbitrary commands that will be executed on the system during the download process. This represents a significant risk of remote code execution (RCE). Successful exploitation could lead to complete system compromise, data theft, or the installation of malware. The impact is particularly severe because setuptools is a core component of many Python projects and environments, meaning a wide range of systems could be affected.
CVE-2024-6345 was publicly disclosed on 2024-07-15. While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation and the widespread use of setuptools suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
7.34% (92% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6345 is to immediately upgrade setuptools to version 70.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating vulnerable systems from external networks to prevent malicious package downloads. Implement strict URL whitelisting for package sources to prevent the download of packages from untrusted locations. Review and audit your Python project dependencies to identify and remove any potentially malicious packages. After upgrading, confirm the fix by attempting to download a package from a known-safe source and verifying that no unexpected commands are executed.
Actualice la versión de setuptools a la versión 70.0 o superior. Puede hacerlo utilizando el gestor de paquetes pip con el comando `pip install --upgrade setuptools`. Esto solucionará la vulnerabilidad de ejecución remota de código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6345 is a Command Injection vulnerability in setuptools versions up to 9.1.1, allowing attackers to execute arbitrary commands during package downloads.
You are affected if you are using setuptools versions 9.1.1 or earlier. Check your version using pip show setuptools.
Upgrade setuptools to version 70.0.0 or later using pip install --upgrade setuptools==70.0.0.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high risk of future exploitation.
Refer to the pypa security advisory: https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-1043782
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.