logo

Database

External control of file name or path In pipreqs

Description

pipreqs vulnerable to Dependency Confusion A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-315432. NVD-2023-315433. OSV-2023-315434. GCVE-2023-31543

References

1. https://github.com/bndr/pipreqs/pull/3642. https://github.com/bndr/pipreqs/commit/3f5964fcb90ec6eb6df46d78e651a1b73538d0ba3. https://gist.github.com/adeadfed/ccc834440af354a5638f889bee34bafe4. https://github.com/bndr/pipreqs/blob/master/pipreqs/pipreqs.py#L447-L4495. https://github.com/pypa/advisory-database/tree/main/vulns/pipreqs/PYSEC-2023-99.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.