{"id":"ALPINE-CVE-2024-6345","details":"A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.","modified":"2026-03-09T01:25:56.192577Z","published":"2024-07-15T01:15:01.730Z","upstream":["CVE-2024-6345"],"references":[{"type":"ADVISORY","url":"https://security.alpinelinux.org/vuln/CVE-2024-6345"}],"affected":[{"package":{"name":"py3-setuptools","ecosystem":"Alpine:v3.17","purl":"pkg:apk/alpine/py3-setuptools?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"70.3.0-r0"}]}],"versions":["45.2.0-r0","45.2.0-r1","45.3.0-r0","46.0.0-r0","46.1.1-r0","46.1.2-r0","46.1.3-r0","46.2.0-r0","46.3.0-r0","46.3.1-r0","46.4.0-r0","47.0.0-r0","47.1.1-r0","47.2.0-r0","47.3.0-r0","47.3.1-r0","47.3.2-r0","49.2.0-r0","49.2.1-r0","49.3.0-r0","49.3.1-r0","49.6.0-r0","50.0.0-r0","50.0.1-r0","50.0.3-r0","50.1.0-r0","50.2.0-r0","50.3.0-r0","50.3.1-r0","50.3.2-r0","51.0.0-r0","51.3.3-r0","52.0.0-r0","52.0.0-r1","52.0.0-r2","52.0.0-r3","52.0.0-r4","52.0.0-r5","54.2.0-r0","54.2.0-r1","56.0.0-r0","59.4.0-r0","65.0.0-r0","65.0.1-r0","65.0.2-r0","65.1.0-r0","65.1.1-r0","65.2.0-r0","65.3.0-r0","65.4.0-r0","65.4.1-r0","65.5.0-r0","65.5.1-r0","65.6.0-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6345.json"}},{"package":{"name":"py3-setuptools","ecosystem":"Alpine:v3.18","purl":"pkg:apk/alpine/py3-setuptools?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"70.3.0-r0"}]}],"versions":["45.2.0-r0","45.2.0-r1","45.3.0-r0","46.0.0-r0","46.1.1-r0","46.1.2-r0","46.1.3-r0","46.2.0-r0","46.3.0-r0","46.3.1-r0","46.4.0-r0","47.0.0-r0","47.1.1-r0","47.2.0-r0","47.3.0-r0","47.3.1-r0","47.3.2-r0","49.2.0-r0","49.2.1-r0","49.3.0-r0","49.3.1-r0","49.6.0-r0","50.0.0-r0","50.0.1-r0","50.0.3-r0","50.1.0-r0","50.2.0-r0","50.3.0-r0","50.3.1-r0","50.3.2-r0","51.0.0-r0","51.3.3-r0","52.0.0-r0","52.0.0-r1","52.0.0-r2","52.0.0-r3","52.0.0-r4","52.0.0-r5","54.2.0-r0","54.2.0-r1","56.0.0-r0","59.4.0-r0","65.0.0-r0","65.0.1-r0","65.0.2-r0","65.1.0-r0","65.1.1-r0","65.2.0-r0","65.3.0-r0","65.4.0-r0","65.4.1-r0","65.5.0-r0","65.5.1-r0","65.6.0-r0","65.6.0-r1","65.6.2-r0","65.6.3-r0","65.7.0-r0","66.0.0-r0","66.1.0-r0","66.1.1-r0","67.0.0-r0","67.1.0-r0","67.2.0-r0","67.3.1-r0","67.3.2-r0","67.3.3-r0","67.4.0-r0","67.4.0-r1","67.5.0-r0","67.5.1-r0","67.6.0-r0","67.6.1-r0","67.6.1-r1","67.7.0-r0","67.7.1-r0","67.7.2-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6345.json"}},{"package":{"name":"py3-setuptools","ecosystem":"Alpine:v3.19","purl":"pkg:apk/alpine/py3-setuptools?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"70.3.0-r0"}]}],"versions":["45.2.0-r0","45.2.0-r1","45.3.0-r0","46.0.0-r0","46.1.1-r0","46.1.2-r0","46.1.3-r0","46.2.0-r0","46.3.0-r0","46.3.1-r0","46.4.0-r0","47.0.0-r0","47.1.1-r0","47.2.0-r0","47.3.0-r0","47.3.1-r0","47.3.2-r0","49.2.0-r0","49.2.1-r0","49.3.0-r0","49.3.1-r0","49.6.0-r0","50.0.0-r0","50.0.1-r0","50.0.3-r0","50.1.0-r0","50.2.0-r0","50.3.0-r0","50.3.1-r0","50.3.2-r0","51.0.0-r0","51.3.3-r0","52.0.0-r0","52.0.0-r1","52.0.0-r2","52.0.0-r3","52.0.0-r4","52.0.0-r5","54.2.0-r0","54.2.0-r1","56.0.0-r0","59.4.0-r0","65.0.0-r0","65.0.1-r0","65.0.2-r0","65.1.0-r0","65.1.1-r0","65.2.0-r0","65.3.0-r0","65.4.0-r0","65.4.1-r0","65.5.0-r0","65.5.1-r0","65.6.0-r0","65.6.0-r1","65.6.2-r0","65.6.3-r0","65.7.0-r0","66.0.0-r0","66.1.0-r0","66.1.1-r0","67.0.0-r0","67.1.0-r0","67.2.0-r0","67.3.1-r0","67.3.2-r0","67.3.3-r0","67.4.0-r0","67.4.0-r1","67.5.0-r0","67.5.1-r0","67.6.0-r0","67.6.1-r0","67.6.1-r1","67.7.0-r0","67.7.1-r0","67.7.2-r0","67.8.0-r0","68.0.0-r0","68.0.0-r1","68.0.0-r2","68.1.2-r0","68.2.0-r0","68.2.1-r0","68.2.2-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6345.json"}},{"package":{"name":"py3-setuptools","ecosystem":"Alpine:v3.20","purl":"pkg:apk/alpine/py3-setuptools?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"70.3.0-r0"}]}],"versions":["45.2.0-r0","45.2.0-r1","45.3.0-r0","46.0.0-r0","46.1.1-r0","46.1.2-r0","46.1.3-r0","46.2.0-r0","46.3.0-r0","46.3.1-r0","46.4.0-r0","47.0.0-r0","47.1.1-r0","47.2.0-r0","47.3.0-r0","47.3.1-r0","47.3.2-r0","49.2.0-r0","49.2.1-r0","49.3.0-r0","49.3.1-r0","49.6.0-r0","50.0.0-r0","50.0.1-r0","50.0.3-r0","50.1.0-r0","50.2.0-r0","50.3.0-r0","50.3.1-r0","50.3.2-r0","51.0.0-r0","51.3.3-r0","52.0.0-r0","52.0.0-r1","52.0.0-r2","52.0.0-r3","52.0.0-r4","52.0.0-r5","54.2.0-r0","54.2.0-r1","56.0.0-r0","59.4.0-r0","65.0.0-r0","65.0.1-r0","65.0.2-r0","65.1.0-r0","65.1.1-r0","65.2.0-r0","65.3.0-r0","65.4.0-r0","65.4.1-r0","65.5.0-r0","65.5.1-r0","65.6.0-r0","65.6.0-r1","65.6.2-r0","65.6.3-r0","65.7.0-r0","66.0.0-r0","66.1.0-r0","66.1.1-r0","67.0.0-r0","67.1.0-r0","67.2.0-r0","67.3.1-r0","67.3.2-r0","67.3.3-r0","67.4.0-r0","67.4.0-r1","67.5.0-r0","67.5.1-r0","67.6.0-r0","67.6.1-r0","67.6.1-r1","67.7.0-r0","67.7.1-r0","67.7.2-r0","67.8.0-r0","68.0.0-r0","68.0.0-r1","68.0.0-r2","68.1.2-r0","68.2.0-r0","68.2.1-r0","68.2.2-r0","69.0.3-r0","69.1.0-r0","69.1.1-r0","69.2.0-r0","69.2.0-r1","69.2.0-r2","69.5.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6345.json"}},{"package":{"name":"py3-setuptools","ecosystem":"Alpine:v3.21","purl":"pkg:apk/alpine/py3-setuptools?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"70.3.0-r0"}]}],"versions":["45.2.0-r0","45.2.0-r1","45.3.0-r0","46.0.0-r0","46.1.1-r0","46.1.2-r0","46.1.3-r0","46.2.0-r0","46.3.0-r0","46.3.1-r0","46.4.0-r0","47.0.0-r0","47.1.1-r0","47.2.0-r0","47.3.0-r0","47.3.1-r0","47.3.2-r0","49.2.0-r0","49.2.1-r0","49.3.0-r0","49.3.1-r0","49.6.0-r0","50.0.0-r0","50.0.1-r0","50.0.3-r0","50.1.0-r0","50.2.0-r0","50.3.0-r0","50.3.1-r0","50.3.2-r0","51.0.0-r0","51.3.3-r0","52.0.0-r0","52.0.0-r1","52.0.0-r2","52.0.0-r3","52.0.0-r4","52.0.0-r5","54.2.0-r0","54.2.0-r1","56.0.0-r0","59.4.0-r0","65.0.0-r0","65.0.1-r0","65.0.2-r0","65.1.0-r0","65.1.1-r0","65.2.0-r0","65.3.0-r0","65.4.0-r0","65.4.1-r0","65.5.0-r0","65.5.1-r0","65.6.0-r0","65.6.0-r1","65.6.2-r0","65.6.3-r0","65.7.0-r0","66.0.0-r0","66.1.0-r0","66.1.1-r0","67.0.0-r0","67.1.0-r0","67.2.0-r0","67.3.1-r0","67.3.2-r0","67.3.3-r0","67.4.0-r0","67.4.0-r1","67.5.0-r0","67.5.1-r0","67.6.0-r0","67.6.1-r0","67.6.1-r1","67.7.0-r0","67.7.1-r0","67.7.2-r0","67.8.0-r0","68.0.0-r0","68.0.0-r1","68.0.0-r2","68.1.2-r0","68.2.0-r0","68.2.1-r0","68.2.2-r0","69.0.3-r0","69.1.0-r0","69.1.1-r0","69.2.0-r0","69.2.0-r1","69.2.0-r2","69.5.1-r0","70.0.0-r0","70.1.0-r0","70.1.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6345.json"}},{"package":{"name":"py3-setuptools","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/py3-setuptools?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"70.3.0-r0"}]}],"versions":["45.2.0-r0","45.2.0-r1","45.3.0-r0","46.0.0-r0","46.1.1-r0","46.1.2-r0","46.1.3-r0","46.2.0-r0","46.3.0-r0","46.3.1-r0","46.4.0-r0","47.0.0-r0","47.1.1-r0","47.2.0-r0","47.3.0-r0","47.3.1-r0","47.3.2-r0","49.2.0-r0","49.2.1-r0","49.3.0-r0","49.3.1-r0","49.6.0-r0","50.0.0-r0","50.0.1-r0","50.0.3-r0","50.1.0-r0","50.2.0-r0","50.3.0-r0","50.3.1-r0","50.3.2-r0","51.0.0-r0","51.3.3-r0","52.0.0-r0","52.0.0-r1","52.0.0-r2","52.0.0-r3","52.0.0-r4","52.0.0-r5","54.2.0-r0","54.2.0-r1","56.0.0-r0","59.4.0-r0","65.0.0-r0","65.0.1-r0","65.0.2-r0","65.1.0-r0","65.1.1-r0","65.2.0-r0","65.3.0-r0","65.4.0-r0","65.4.1-r0","65.5.0-r0","65.5.1-r0","65.6.0-r0","65.6.0-r1","65.6.2-r0","65.6.3-r0","65.7.0-r0","66.0.0-r0","66.1.0-r0","66.1.1-r0","67.0.0-r0","67.1.0-r0","67.2.0-r0","67.3.1-r0","67.3.2-r0","67.3.3-r0","67.4.0-r0","67.4.0-r1","67.5.0-r0","67.5.1-r0","67.6.0-r0","67.6.1-r0","67.6.1-r1","67.7.0-r0","67.7.1-r0","67.7.2-r0","67.8.0-r0","68.0.0-r0","68.0.0-r1","68.0.0-r2","68.1.2-r0","68.2.0-r0","68.2.1-r0","68.2.2-r0","69.0.3-r0","69.1.0-r0","69.1.1-r0","69.2.0-r0","69.2.0-r1","69.2.0-r2","69.5.1-r0","70.0.0-r0","70.1.0-r0","70.1.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6345.json"}},{"package":{"name":"py3-setuptools","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/py3-setuptools?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"70.3.0-r0"}]}],"versions":["45.2.0-r0","45.2.0-r1","45.3.0-r0","46.0.0-r0","46.1.1-r0","46.1.2-r0","46.1.3-r0","46.2.0-r0","46.3.0-r0","46.3.1-r0","46.4.0-r0","47.0.0-r0","47.1.1-r0","47.2.0-r0","47.3.0-r0","47.3.1-r0","47.3.2-r0","49.2.0-r0","49.2.1-r0","49.3.0-r0","49.3.1-r0","49.6.0-r0","50.0.0-r0","50.0.1-r0","50.0.3-r0","50.1.0-r0","50.2.0-r0","50.3.0-r0","50.3.1-r0","50.3.2-r0","51.0.0-r0","51.3.3-r0","52.0.0-r0","52.0.0-r1","52.0.0-r2","52.0.0-r3","52.0.0-r4","52.0.0-r5","54.2.0-r0","54.2.0-r1","56.0.0-r0","59.4.0-r0","65.0.0-r0","65.0.1-r0","65.0.2-r0","65.1.0-r0","65.1.1-r0","65.2.0-r0","65.3.0-r0","65.4.0-r0","65.4.1-r0","65.5.0-r0","65.5.1-r0","65.6.0-r0","65.6.0-r1","65.6.2-r0","65.6.3-r0","65.7.0-r0","66.0.0-r0","66.1.0-r0","66.1.1-r0","67.0.0-r0","67.1.0-r0","67.2.0-r0","67.3.1-r0","67.3.2-r0","67.3.3-r0","67.4.0-r0","67.4.0-r1","67.5.0-r0","67.5.1-r0","67.6.0-r0","67.6.1-r0","67.6.1-r1","67.7.0-r0","67.7.1-r0","67.7.2-r0","67.8.0-r0","68.0.0-r0","68.0.0-r1","68.0.0-r2","68.1.2-r0","68.2.0-r0","68.2.1-r0","68.2.2-r0","69.0.3-r0","69.1.0-r0","69.1.1-r0","69.2.0-r0","69.2.0-r1","69.2.0-r2","69.5.1-r0","70.0.0-r0","70.1.0-r0","70.1.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6345.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}