Tuesday, June 25, 2024

Arbitrary Command Injection Affecting pipenv

pipenv is a Python Development Workflow for Humans.

Affected package, versions [2018.10.9, 2022.1.8)

How to fix?

Upgrade pipenv to version 2022.1.8 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Command Injection. Due to a flaw in pipenv’s parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with pipenv install -r requirements.txt) to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims’ systems.

Arbitrary Command Injection Affecting pipenv
Snyk

According to the requirements file format specification, any lines which begin with a # character, and/or any text in a line following whitespace and a # character should be interpreted as a comment which will be ignored during the processing of the requirements file.

However, due to a flaw in pipenv’s parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file

Note: The primary hurdle to successful exploitation of this vulnerability depends on an attacker’s ability to surreptitiously insert a specially crafted string into a requirements.txt file that will be installed by a victim. This is not a highly likely scenario, however, it can be made easier to obfuscate due to it being hidden within comments.

References

Return to exploits

Bookmark
Close
Recommended:  FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure
Please login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security