{ "threat_severity" : "Low", "public_date" : "2021-04-24T00:00:00Z", "bugzilla" : { "description" : "python-pip: Incorrect handling of unicode separators in git references", "id" : "1962856", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1962856" }, "cvss3" : { "cvss3_base_score" : "4.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.", "A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity." ], "statement" : "This flaw has been rated as having a security impact of Low. To exploit this flaw, the attacker needs access to the repository to create a specially crafted tag and force a different revision to be installed.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4160", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python39:3.9-8050020210811100211.d428a79b" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4160", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python39-devel:3.9-8050020210811100211.d428a79b" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4162", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python38:3.8-8050020210811101222.e3d35cca" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4162", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python38-devel:3.8-8050020210811101222.e3d35cca" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4455", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python-pip-0:9.0.3-20.el8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4455", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "python-pip-0:9.0.3-20.el8" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-babel-0:2.7.0-12.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-0:3.8.11-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-cryptography-0:2.8-5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-jinja2-0:2.10.3-6.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-lxml-0:4.4.1-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-pip-0:19.3.1-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-urllib3-0:1.25.7-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-babel-0:2.7.0-12.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-0:3.8.11-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-cryptography-0:2.8-5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-jinja2-0:2.10.3-6.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-lxml-0:4.4.1-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-pip-0:19.3.1-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-08-24T00:00:00Z", "advisory" : "RHSA-2021:3254", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python38-python-urllib3-0:1.25.7-7.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "python-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "python-virtualenv", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "gimp:flatpak/python2-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "inkscape:flatpak/python2-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python27:2.7/python2-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "python-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "python27-python-pip", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "python27-python-virtualenv", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3572\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3572" ], "name" : "CVE-2021-3572", "csaw" : false }