Arbitrary Code Execution Affecting pipreqs package, versions [0.3.0,0.4.13)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.19% (57th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-PIPREQS-5750287
- published 2 Jul 2023
- disclosed 30 Jun 2023
- credit adeadfed
Introduced: 30 Jun 2023
CVE-2023-31543 Open this link in a new tabHow to fix?
Upgrade pipreqs
to version 0.4.13 or higher.
Overview
pipreqs is a Pip requirements.txt generator based on imports in project
Affected versions of this package are vulnerable to Arbitrary Code Execution due to a possible dependency confusion via uploading a crafted PyPI package to the chosen repository server.
Note:
In order to successfully conduct an attack these prerequisites have to be met.
References
CVSS Scores
version 3.1