Vulnerability DatabaseCVE-2024-6345

CVE-2024-6345:
Python vulnerability analysis and mitigation

Overview

CVE-2024-6345 is a vulnerability discovered in the package_index module of pypa/setuptools affecting versions up to 69.1.1. The vulnerability allows for remote code execution via its download functions, which are used to download packages from URLs provided by users or retrieved from package index servers. The issue was fixed in version 70.0 (NVD).

Technical details

The vulnerability is classified as a code injection flaw (CWE-94) where the download functions in the package_index module are susceptible to code injection when exposed to user-controlled inputs, such as package URLs. The vulnerability has received a CVSS v3.0 base score of 8.8 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high severity with potential for remote exploitation (NVD, Huntr).

Impact

If successfully exploited, the vulnerability can allow attackers to execute arbitrary commands on the system through maliciously crafted package URLs. This poses a significant risk as it could lead to complete system compromise with the same privileges as the application running setuptools (NVD).

Mitigation and workarounds

The recommended mitigation is to upgrade to setuptools version 70.0 or later, which contains the fix for this vulnerability. The fix includes modernization and refactoring of VCS handling in the package_index module (Github).

Additional resources

Source: This report was generated using AI

8.8

Score

Published July 15, 2024

Severity HIGH

CNA Score 8.8

Affected Technologies

Python
Rocky Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 45.6

Exploitation Probability (EPSS) 0.2

Affected packages and libraries

fence-agents-debuginfo
fence-agents-kdump-debuginfo

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Aug 25, 2024
- AlmaLinux 9 Severity HIGHHas FixAdded at: Aug 25, 2024
Alpine Security Tracker
- Alpine 3.17, 3.18 Severity HIGHHas FixAdded at: Jul 21, 2024
- Alpine 3.19, 3.20 Severity HIGHHas FixAdded at: Aug 11, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine edge Severity HIGHHas FixAdded at: Oct 30, 2024
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Apr 27, 2025
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: May 04, 2025
Chainguard
- Chainguard Has FixAdded at: Jul 17, 2024
Container-Optimized OS Release Notes
- Container-Optimized OS Severity HIGHHas FixAdded at: Aug 13, 2024
Debian Security Tracker
- Debian 11, 12, 13 Severity HIGHHas FixAdded at: Jul 16, 2024
GitHub Advisory Database
- pip Severity HIGHHas FixAdded at: Jul 16, 2024
Photon Security Advisory
- Photon 3.0 Severity HIGHHas FixAdded at: Sep 01, 2024
- Photon 4.0 Severity HIGHHas FixAdded at: Aug 04, 2024
- Photon 5.0 Severity HIGHHas FixAdded at: Jul 28, 2024
Red Hat Errata
- Red Hat 6 Severity HIGHNo FixAdded at: Jul 22, 2024
- Red Hat 7 Severity HIGHHas FixAdded at: Feb 19, 2025
- Red Hat 8 Severity HIGHHas FixAdded at: Jul 23, 2024
- Red Hat 9 Severity HIGHHas FixAdded at: Jul 18, 2024
Rocky Linux Product Errata
- Rocky 8 Severity HIGHHas FixAdded at: Aug 25, 2024
- Rocky 9 Severity HIGHHas FixAdded at: Oct 03, 2024
Ubuntu Security Tracker
- Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04, 24.04 Severity MEDIUMHas FixAdded at: Sep 22, 2024
Wolfi
- Wolfi Has FixAdded at: Jul 17, 2024