Plateforme
python
Composant
setuptools
Corrigé dans
70.0
70.0.0
CVE-2024-6345 is a critical Command Injection vulnerability discovered in the package_index module of setuptools, a Python package management tool. This flaw allows attackers to execute arbitrary commands on a system by exploiting vulnerabilities in the package download functions. The vulnerability impacts versions of setuptools up to 69.1.1, and a fix is available in version 70.0.0.
The vulnerability lies within setuptools' download functions, which are responsible for retrieving packages from URLs. If an attacker can control the URL used by these functions—either directly through malicious package index servers or by crafting a malicious package URL—they can inject arbitrary commands that will be executed on the system during the download process. This represents a significant risk of remote code execution (RCE). Successful exploitation could lead to complete system compromise, data theft, or the installation of malware. The impact is particularly severe because setuptools is a core component of many Python projects and environments, meaning a wide range of systems could be affected.
CVE-2024-6345 was publicly disclosed on 2024-07-15. While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation and the widespread use of setuptools suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Python developers and system administrators who use setuptools to manage their projects are at risk. This includes individuals and organizations utilizing older versions of setuptools in their development and deployment pipelines, particularly those relying on untrusted package sources or package index servers. Shared hosting environments where multiple users share the same Python installation are also at increased risk.
• python / package-manager:
import setuptools
print(setuptools.__version__)• python / package-manager: Check for setuptools versions <= 9.1.1 using pip show setuptools.
• python / supply-chain: Monitor Python package installations for unexpected dependencies or modifications to site-packages directory.
• python / system: Review system logs for suspicious command execution attempts related to package downloads.
disclosure
Statut de l'Exploit
EPSS
7.34% (percentile 92%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-6345 is to immediately upgrade setuptools to version 70.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating vulnerable systems from external networks to prevent malicious package downloads. Implement strict URL whitelisting for package sources to prevent the download of packages from untrusted locations. Review and audit your Python project dependencies to identify and remove any potentially malicious packages. After upgrading, confirm the fix by attempting to download a package from a known-safe source and verifying that no unexpected commands are executed.
Actualice la versión de setuptools a la versión 70.0 o superior. Puede hacerlo utilizando el gestor de paquetes pip con el comando `pip install --upgrade setuptools`. Esto solucionará la vulnerabilidad de ejecución remota de código.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-6345 is a Command Injection vulnerability in setuptools versions up to 9.1.1, allowing attackers to execute arbitrary commands during package downloads.
You are affected if you are using setuptools versions 9.1.1 or earlier. Check your version using pip show setuptools.
Upgrade setuptools to version 70.0.0 or later using pip install --upgrade setuptools==70.0.0.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high risk of future exploitation.
Refer to the pypa security advisory: https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-1043782
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.