{"id":"PYSEC-2020-173","details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"modified":"2023-11-01T05:44:38.729877Z","published":"2020-09-04T20:15:00Z","references":[{"type":"REPORT","url":"https://github.com/pypa/pip/issues/6413"},{"type":"FIX","url":"https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace"},{"type":"WEB","url":"https://github.com/pypa/pip/compare/19.1.1...19.2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-gpvv-69j7-gwj8"}],"affected":[{"package":{"name":"pip","ecosystem":"PyPI","purl":"pkg:pypi/pip"},"ranges":[{"type":"GIT","repo":"https://github.com/gzpan123/pip","events":[{"introduced":"0"},{"fixed":"a4c735b14a62f9cb864533808ac63936704f2ace"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"19.2"}]}],"versions":["0.2","0.2.1","0.3","0.3.1","0.4","0.5","0.5.1","0.6","0.6.1","0.6.2","0.6.3","0.7","0.7.1","0.7.2","0.8","0.8.1","0.8.2","0.8.3","1.0","1.0.1","1.0.2","1.1","1.2","1.2.1","1.3","1.3.1","1.4","1.4.1","1.5","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","6.0","6.0.1","6.0.2","6.0.3","6.0.4","6.0.5","6.0.6","6.0.7","6.0.8","6.1.0","6.1.1","7.0.0","7.0.1","7.0.2","7.0.3","7.1.0","7.1.1","7.1.2","8.0.0","8.0.1","8.0.2","8.0.3","8.1.0","8.1.1","8.1.2","9.0.0","9.0.1","9.0.2","9.0.3","10.0.0b1","10.0.0b2","10.0.0","10.0.1","18.0","18.1","19.0","19.0.1","19.0.2","19.0.3","19.1","19.1.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2020-173.yaml"}}],"schema_version":"1.7.3"}