Vulnerability Details : CVE-2021-3572

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Vulnerability category: Input validation

Published 2021-11-10 18:15:10

Updated 2022-10-05 02:14:40

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-3572

Probability of exploitation activity in the next 30 days: 0.06%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 22 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-3572

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.7	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N	2.1	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-3572

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2021-3572

https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1962856

1962856 – (CVE-2021-3572) CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references
Issue Tracking;Patch;Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2021-3572

Oracle » Agile Plm » Version: 9.3.6
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Policy » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Policy » Version: 22.1.3
cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:*:*:*:*:*:*:*
Matching versions
Pypa » PIP
Versions before (<) 21.1
cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*
Matching versions