CVE-2022-21668

HIGH
Published Jan 10, 20224y ago · Modified Jun 17, 20262w ago
8.6 CVSS 3.1
High
Find Similar
Published Jan 10, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.

CVSS Details

Base Score
8.6
Exploitability
1.8
Impact
6.0
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 7

CWE-1284
CWE-190 Integer Overflow or Wraparound Numeric Error
CWE-20 Improper Input Validation Validation
CWE-427
CWE-77 Command Injection Injection
CWE-78 OS Command Injection Injection
CWE-791

Affected Products 4

VendorProductVersionRange
pypapipenv*≥2018.10.9  –  <2022.1.8
fedoraprojectfedora34any
fedoraprojectfedora35any
fedoraprojectfedora36any

References 6

  • github.com https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f
    PatchThird Party Advisory
  • github.com https://github.com/pypa/pipenv/releases/tag/v2022.1.8
    Release NotesThird Party Advisory
  • github.com https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w
    ExploitThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56HBA3EOSLEDNCCBJVHE6DO34P56EOUM/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCROBYHUS6DKQPCXBRPCZ5CDBNQTYAWT/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHQRIWKDP3SVJABAPEXBIQPKDI6UP7G4/
    Mailing List

Remediation

  • github.com https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f
    PatchThird Party Advisory