CVE-2021-3572
MEDIUM5.7EPSS 0.24%Improper Input Validation in pip
Published: 11/15/2021Modified: 3/24/2026
Description
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
Affected packages (3)
- Debian/python-pipfrom 0, < 20.3.4-2
- PyPI/pipfrom 0, < 21.1
- PyPI/pipfrom 0, < 21.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N |
References (13)
- ADVISORYhttps://github.com/advisories/GHSA-5xp3-jfq3-5q8x
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-3572
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3572
- PATCHhttps://github.com/pypa/pip
- WEBhttps://access.redhat.com/errata/RHSA-2021:3254
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1962856
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
- WEBhttps://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
- WEBhttps://github.com/pypa/pip/pull/9827
- WEBhttps://packetstormsecurity.com/files/162712/USN-4961-1.txt
- WEBhttps://security.netapp.com/advisory/ntap-20240621-0006
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html