CVE-2024-6345

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Jul 15, 2024 / Updated: 4mo ago

010
High Severity
(Estimated)
EPSS 0.04%
CVE info copied to clipboard

Summary

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.

Impact

This vulnerability can lead to remote code execution, allowing attackers to execute arbitrary commands on the affected system. The impact is severe, with potential for high confidentiality, integrity, and availability breaches. Attackers could potentially gain control over the system, access sensitive information, modify data, or disrupt operations. The CVSS v3 base score of 8.8 (High) indicates a significant risk, particularly due to the network attack vector and the lack of privileges required for exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The issue is fixed in pypa/setuptools version 70.0.

Mitigation

1. Update pypa/setuptools to version 70.0 or later immediately. 2. If immediate updating is not possible, restrict network access to systems using vulnerable versions of setuptools. 3. Implement strict input validation for any user-controlled URLs or inputs that interact with the package_index module. 4. Monitor systems for unusual activities or unauthorized command executions. 5. Apply the principle of least privilege to limit the potential impact of exploitation. 6. Consider using virtual environments or containerization to isolate potentially vulnerable setuptools installations.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-6345

Jul 15, 2024 at 1:15 AM
First Article

Feedly found the first article mentioning CVE-2024-6345. See article

Jul 15, 2024 at 1:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 15, 2024 at 1:21 AM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-6345).

Jul 15, 2024 at 3:40 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Jul 15, 2024 at 3:40 AM / redhat-cve-advisories
Trending

This CVE started to trend in security discussions

Jul 15, 2024 at 4:54 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5000411)

Jul 15, 2024 at 7:53 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.3%)

Jul 15, 2024 at 10:01 AM
Threat Intelligence Report

The vulnerability CVE-2024-6345 was first mentioned in an article found by Feedly and a security advisory released by RedHat. It is critical with a CVSS score of [insert score if available], potentially exploited in the wild, and there may be proof-of-concept exploits. Mitigations, detections, and patches are likely available, but downstream impacts to other vendors or technologies may exist. See article

Jul 15, 2024 at 10:01 AM
Static CVE Timeline Graph

Affected Systems

Tenable/nessus
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

Vendor Advisory

Oracle Linux Bulletin - October 2024
Oracle Id: linuxbulletinoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Oracle Linux Risk Matrix (Revision: 1 Published on 2024-10-15) CVE-2024-3596 CVSS Base Score :9.0 CVSS Vector :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Product :

References

CVE-2024-6345 - Exploits & Severity - Feedly
The CVSS v3 base score of 8.8 (High) indicates a significant risk, particularly due to the network attack vector and the lack of privileges required for exploitation. A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions.
SUSE update for SUSE Manager Salt Bundle
Update the affected package SUSE Manager Salt Bundle to the latest version. Update the affected package SUSE Manager Salt Bundle to the latest version.
Multiple vulnerabilities in IBM Observability with Instana
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system. The vulnerability exists due to integer overflow within the dtdCopy() function in xmlparse.c. A remote attacker can pass specially crafted input to the application, trigger an integer overflow and execute arbitrary code on the target system.
See 2 more references

News

Security: Mehrere Probleme in SUSE Manager Salt Bundle (SUSE)
# Security update for SUSE Manager Salt Bundle <h1>Security update for SUSE Manager Salt Bundle</h1>
Security: Mehrere Probleme in SUSE Manager Salt Bundle (SUSE)
# Security update for SUSE Manager Salt Bundle <h1>Security update for SUSE Manager Salt Bundle</h1>
SUSE update for SUSE Manager Salt Bundle
Update the affected package SUSE Manager Salt Bundle to the latest version. Update the affected package SUSE Manager Salt Bundle to the latest version.
Fedora 41 : pypy (2024-22a01aab2f)
Nessus Plugin ID 211286 with High Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-22a01aab2f advisory. Automatic update for pypy-7.3.16-2.fc41. ##### **Changelog** ``` * Thu Aug 1 2024 Miro Hronok - 7.3.16-2 - Security fix for CVE-2024-6345 (in bundled setuptools wheel) - Fixes: rhbz#2298675 ``` Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected pypy package. Read more at https://www.tenable.com/plugins/nessus/211286
System-Wide Python Package Control: Enforce Allow Lists &amp; Find Vulnerabilities
The command-line application searches an entire system (or targeted virtual environments) for installed Python packages. Beyond core validation operations, permits searching installed packages, deriving new requirements from observed packages across multiple environments, and unpacking and purging package content.
See 253 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI