Vulnerabilities > Pypa > PIP > 0.7.2

DATE CVE VULNERABILITY TITLE RISK
2023-10-25 CVE-2023-5752 Command Injection vulnerability in Pypa PIP
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config").
local
low complexity
pypa CWE-77
3.3
3.3
2021-11-10 CVE-2021-3572 A flaw was found in python-pip in the way it handled Unicode separators in git references.
network
low complexity
pypa oracle
5.7
5.7
2020-09-04 CVE-2019-20916 Path Traversal vulnerability in multiple products
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file.
network
low complexity
pypa opensuse debian oracle CWE-22
7.5
7.5
2019-11-05 CVE-2013-5123 Improper Authentication vulnerability in multiple products
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
network
high complexity
pypa virtualenv fedoraproject redhat debian CWE-287
5.9
5.9