CVE-2024-6345: Remote Code Execution Vulnerability in PyPA/Setuptools Package_Index Module
As developers and systems administrators, it's important to keep up-to-date with the latest vulnerabilities and their fixes in the tools and libraries we use daily. Today, we're sharing information on a critical vulnerability in the Python Packaging Authority (PyPA)/Setuptools package_index module, which could allow an attacker to execute arbitrary code on your system remotely. The vulnerability, titled CVE-2024-6345, has been fixed in Setuptools version 70.. It is crucial to update your installations to the latest version to mitigate the risk of compromise.
Description of the Vulnerability
CVE-2024-6345 affects the package_index module of PyPA/Setuptools in all versions up to 69.1.1. The module is responsible for downloading packages from user-provided URLs or package index servers, such as the Python Package Index (PyPI). The download functions in the module are susceptible to code injection, which could lead to remote code execution if these functions are exposed to user-controlled inputs, such as package URLs.
Exploit Details
A malicious user can potentially exploit the vulnerability by supplying a crafted URL to the download function. The issue lies in the handling of the URL input, which allows arbitrary commands to get executed on the system. An example of the potentially vulnerable code snippet is provided below:
from setuptools.package_index import PackageIndex
#... other code
index = PackageIndex()
filename, content = index.download_package(url, save_directory)
In the above code snippet, if the 'url' variable is influenced by user input, it could lead to a remote code execution vulnerability.
References to the Original Announcements
The PyPA/Setuptools team has officially acknowledged the vulnerability and released a fixed version (70.) as per the following release notes:
- setuptools 70. release notes on GitHub
- Python Package Index (PyPI) - setuptools 70.
The vulnerability has also been assigned the identifier CVE-2024-6345 in the Common Vulnerabilities and Exposures (CVE) database:
- CVE-2024-6345 entry on CVE database
Update your PyPA/Setuptools installation to version 70. or later
pip install --upgrade setuptools
2. Review your codebases and dependencies to ensure that you are not passing user-controlled inputs to the download functions in the package_index module. Apply input validation and sanitization if necessary.
3. Apply additional security best practices to minimize the risk of unauthorized access to your systems, such as network segmentation, strong access controls, and regular patching.
In conclusion, CVE-2024-6345 is a critical vulnerability in the package_index module of PyPA/Setuptools versions up to 69.1.1 that can lead to remote code execution. By following the recommended actions and updating your installations to the latest version (70.), you can help protect your systems and codebases from potential compromise. Stay vigilant and keep your tools up to date to minimize risks to your infrastructure.
Timeline
Published on: 07/15/2024 01:15:01 UTC
Last modified on: 07/15/2024 13:00:34 UTC