8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6345

GHSA ID

GHSA-cx63-2mw6-8hw5

EPSS Score

0.45487%

CWE

CWE-94

Published

7/15/2024

Updated

8/4/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-6345

CVE-2024-6345: setuptools vulnerable to Command Injection via package URL

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6345

GHSA ID

GHSA-cx63-2mw6-8hw5

EPSS Score

0.45487%

CWE

CWE-94

Published

7/15/2024

Updated

8/4/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
setuptools	pip	< 70.0.0	70.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was a command injection in the package_index module of setuptools, specifically within its download functions for VCS repositories. The analysis of the provided commit 88807c7062788254f654ea8c03427adc859321f0 shows that the methods _download_git and _download_hg within the PackageIndex class were responsible for handling git and hg repository URLs, respectively. These methods constructed shell commands using os.system and incorporated parts of the user-supplied URL (like the repository URL itself and revision identifiers) directly into these commands. This is a classic command injection pattern. The patch removed these specific methods and refactored the VCS handling into a new _download_vcs method which uses subprocess.check_call with a list of arguments, a safer alternative that prevents command injection by properly handling arguments. The _download_url method, which was a caller of _download_git and _download_hg, was also modified as part of this refactoring. The primary vulnerable functions were _download_git and _download_hg due to their direct use of os.system with unsanitized input from the URL.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in t** `p**k***_in**x` mo*ul* o* pyp*/s*tuptools v*rsions up to **.*.* *llows *or r*mot* *o** *x**ution vi* its *ownlo** *un*tions. T**s* *un*tions, w*i** *r* us** to *ownlo** p**k***s *rom URLs provi*** *y us*rs or r*tri*v** *rom p**

Reasoning

T** vuln*r**ility w*s * *omm*n* inj**tion in t** `p**k***_in**x` mo*ul* o* s*tuptools, sp**i*i**lly wit*in its *ownlo** *un*tions *or V*S r*positori*s. T** *n*lysis o* t** provi*** *ommit `****************************************` s*ows t**t t** m*t*

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-6345: setuptools vulnerable to Command Injection via package URL

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI