CVE-2019-20916
📋 TL;DR
This vulnerability in pip allows directory traversal attacks when installing packages from URLs. Attackers can overwrite arbitrary files on the system by exploiting the Content-Disposition header parsing. All Python users with pip versions before 19.2 are affected.
💻 Affected Systems
- pip (Python package installer)
📦 What is this software?
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Leap by Opensuse
Leap by Opensuse
Pip by Pypa
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via overwriting critical files like /root/.ssh/authorized_keys, /etc/passwd, or system binaries, leading to remote code execution and persistent access.
Likely Case
Local privilege escalation or data corruption by overwriting user configuration files, SSH keys, or application data.
If Mitigated
Limited impact if running pip with minimal privileges, using virtual environments, or restricting package sources to trusted repositories.
🎯 Exploit Status
Exploitation requires the victim to run 'pip install' with a malicious URL. The vulnerability is well-documented with proof-of-concept examples available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.2 and later
Vendor Advisory: https://github.com/pypa/pip/security/advisories/GHSA-4w8v-9xjp-5j3r
Restart Required: No
Instructions:
1. Run: pip install --upgrade pip
2. Verify upgrade with: pip --version
3. Ensure version is 19.2 or higher
🔧 Temporary Workarounds
Avoid URL-based installs
allOnly install packages from trusted PyPI repositories, not direct URLs
Use virtual environments
allRun pip in isolated virtual environments to limit file system access
python -m venv myenv
source myenv/bin/activate
🧯 If You Can't Patch
- Implement strict policies prohibiting pip install from URLs
- Run pip with minimal privileges (non-root user) and restrict write permissions
🔍 How to Verify
Check if Vulnerable:
Check pip version: pip --version | grep -E '^(pip|pip3) [0-9]+\.[0-9]+' and compare to 19.2Check Version:
pip --versionVerify Fix Applied:
After upgrade, verify pip version is 19.2 or higher: pip --version📡 Detection & Monitoring
Log Indicators:
- pip install commands with URL arguments
- Unexpected file modifications in system directories
Network Indicators:
- HTTP requests to unusual domains during package installation
SIEM Query:
process.name="pip" AND cmdline="*install*http*"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
- https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
- https://github.com/pypa/pip/compare/19.1.1...19.2
- https://github.com/pypa/pip/issues/6413
- https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
- https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
- https://github.com/pypa/pip/compare/19.1.1...19.2
- https://github.com/pypa/pip/issues/6413
- https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
