BIT-setuptools-2024-6345
Remote Code Execution vulnerability in setuptools (PyPI)
What is BIT-setuptools-2024-6345 About?
This vulnerability in pypa/setuptools' `package_index` module allows for remote code execution through its download functions. If user-controlled inputs, such as package URLs, are processed by these functions, arbitrary commands can be executed on the system. Exploitation is relatively easy if an attacker can inject malicious URLs, leading to severe system compromise.
Affected Software
Technical Details
The package_index module in pypa/setuptools up to version 69.1.1 contains download functions that are used to fetch packages from URLs provided by users or retrieved from package index servers. The core vulnerability lies in the improper handling of these URLs, making them susceptible to code injection. When these functions process a maliciously crafted URL, they fail to adequately sanitize or validate the input, allowing an attacker to embed and execute arbitrary system commands. This mechanism transforms a seemingly innocuous package download operation into a remote code execution vector, as the injected code is run with the privileges of the process executing the setuptools functions.
What is the Impact of BIT-setuptools-2024-6345?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, achieve full system compromise, steal sensitive data, install malware, or disrupt system operations.
What is the Exploitability of BIT-setuptools-2024-6345?
Exploitation of this vulnerability requires the presence of an application that uses the vulnerable package_index module and exposes its download functions to user-controlled inputs, typically package URLs. The complexity is moderate, requiring an attacker to craft a malicious URL containing the code to be executed. No specific authentication is required at the point of URL processing, and the attack can be launched remotely. The primary prerequisite is the ability to inject the malicious URL into a context where it will be processed by the vulnerable component. Risk factors include applications that allow users to specify package sources or custom URLs for package installations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-setuptools-2024-6345?
Available Upgrade Options
- setuptools
- <70.0.0 → Upgrade to 70.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
- https://github.com/pypa/setuptools
- https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
- https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
- https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
- https://github.com/pypa/setuptools/pull/4332
- https://nvd.nist.gov/vuln/detail/CVE-2024-6345
- https://osv.dev/vulnerability/GHSA-cx63-2mw6-8hw5
What are Similar Vulnerabilities to BIT-setuptools-2024-6345?
Similar Vulnerabilities: CVE-2023-49089 , CVE-2023-38833 , CVE-2023-50346 , CVE-2024-21444 , CVE-2024-28243
