CVE-2021-3572 Affecting scipy-debugsource package, versions <0:1.5.4-3.module+el8.4.0+574+843c4898


Severity

Recommended
0.0
medium
0
10

Based on Rocky Linux security rating.

Threat Intelligence

EPSS
0.06% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ROCKY8-SCIPYDEBUGSOURCE-3211122
  • published5 Jan 2023
  • disclosed10 Nov 2021

Introduced: 10 Nov 2021

CVE-2021-3572  (opens in a new tab)

How to fix?

Upgrade Rocky-Linux:8 scipy-debugsource to version 0:1.5.4-3.module+el8.4.0+574+843c4898 or higher.
This issue was patched in RLSA-2021:4160.

NVD Description

Note: Versions mentioned in the description apply only to the upstream scipy-debugsource package and not the scipy-debugsource package as distributed by Rocky-Linux. See How to fix? for Rocky-Linux:8 relevant fixed versions and status.

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

CVSS Scores

version 3.1