Vulnerability CVE-2021-3572 #1528
Description
Not sure if this is something that needs addressing in pex.. but I've put it up here for completeness.
Report excerpt:
Explanation
The pip package is vulnerable to Improper Input Validation. The get_revision_sha() method in git.py incorrectly splits lines while processing git revision hashes returned by the internal show-ref command during python package installations. This allows remote attackers to inject certain unicode characters that would cause pip to install a different version of the package requested by a victim. An attacker that has gained access to a python project may inject malicious code into a specific revision, and cause victims to download that malicious version of the code.Note: This vulnerabilty was assigned CVE-2021-3572.
Detection
The application is vulnerable by using this component.Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Root Cause
pex-2.1.56-py2.py3-none-any.whlpex/vendor/_vendored/pip/pip/_internal/vcs/git.py[10.0.0b1, 21.1)
pex-2.1.56.tar.gzpex-2.1.56/pex/vendor/_vendored/pip/pip/_internal/vcs/git.py[10.0.0b1, 21.1)
Advisories
Project:https://github.com/pypa/pip/pull/9827