{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6345", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-06-26T08:16:17.895Z", "datePublished": "2024-07-15T00:00:14.545Z", "dateUpdated": "2024-08-01T21:33:05.517Z"}, "containers": {"cna": {"title": "Remote Code Execution in pypa/setuptools", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-07-15T00:00:14.545Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0."}], "affected": [{"vendor": "pypa", "product": "pypa/setuptools", "versions": [{"version": "unspecified", "lessThan": "70.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5"}, {"url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code", "cweId": "CWE-94"}]}], "source": {"advisory": "d6362117-ad57-4e83-951f-b8141c6e7ca5", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "python", "product": "setuptools", "cpes": ["cpe:2.3:a:python:setuptools:69.1.1:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "69.1.1", "status": "affected", "lessThan": "70.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-15T13:33:16.586239Z", "id": "CVE-2024-6345", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T13:38:34.323Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:05.517Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5", "tags": ["x_transferred"]}, {"url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5", "tags": ["x_transferred"]}, {"url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:05.517Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6345", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-15T13:33:16.586239Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python:setuptools:69.1.1:*:*:*:*:*:*:*"], "vendor": "python", "product": "setuptools", "versions": [{"status": "affected", "version": "69.1.1", "lessThan": "70.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T13:38:29.989Z"}}], "cna": {"title": "Remote Code Execution in pypa/setuptools", "source": {"advisory": "d6362117-ad57-4e83-951f-b8141c6e7ca5", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pypa", "product": "pypa/setuptools", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "70.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5"}, {"url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-07-15T00:00:14.545Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6345", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:33:05.517Z", "dateReserved": "2024-06-26T08:16:17.895Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-07-15T00:00:14.545Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0."}, {"lang": "es", "value": "Una vulnerabilidad en el m\u00f3dulo package_index de las versiones de pypa/setuptools hasta 69.1.1 permite la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de sus funciones de descarga. Estas funciones, que se utilizan para descargar paquetes desde URL proporcionadas por los usuarios o recuperadas de servidores de \u00edndice de paquetes, son susceptibles a la inyecci\u00f3n de c\u00f3digo. Si estas funciones est\u00e1n expuestas a entradas controladas por el usuario, como las URL de paquetes, pueden ejecutar comandos arbitrarios en el sistema. El problema se solucion\u00f3 en la versi\u00f3n 70.0."}], "id": "CVE-2024-6345", "lastModified": "2024-07-15T13:00:34.853", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2024-07-15T01:15:01.730", "references": [{"source": "security@huntr.dev", "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0"}, {"source": "security@huntr.dev", "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@huntr.dev", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6661", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "python3-setuptools-0:39.2.0-10.el7_9.1", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6662", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "python-setuptools-0:0.9.8-7.el7_9.1", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-09-13T00:00:00Z"}, {"advisory": "RHSA-2024:5531", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.12-setuptools-0:68.2.2-4.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:5532", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.11-setuptools-0:65.5.1-3.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:5962", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39:3.9-8100020240826142629.d47b87a4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-28T00:00:00Z"}, {"advisory": "RHSA-2024:5962", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39-devel:3.9-8100020240826142629.d47b87a4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-28T00:00:00Z"}, {"advisory": "RHSA-2024:6309", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "fence-agents-0:4.2.1-129.el8_10.4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6309", "cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability", "package": "fence-agents-0:4.2.1-129.el8_10.4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6311", "cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability", "package": "resource-agents-0:4.9.0-54.el8_10.4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6309", "cpe": "cpe:/a:redhat:enterprise_linux:8::resilientstorage", "package": "fence-agents-0:4.2.1-129.el8_10.4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6311", "cpe": "cpe:/a:redhat:enterprise_linux:8::resilientstorage", "package": "resource-agents-0:4.9.0-54.el8_10.4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:5530", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python-setuptools-0:39.2.0-8.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:6488", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "python39:3.9-8040020240801180427.63cd9eba", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-09-09T00:00:00Z"}, {"advisory": "RHSA-2024:5078", "cpe": "cpe:/o:redhat:rhel_aus:8.4", "package": "python-setuptools-0:39.2.0-6.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:6488", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "python39:3.9-8040020240801180427.63cd9eba", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-09-09T00:00:00Z"}, {"advisory": "RHSA-2024:5078", "cpe": "cpe:/o:redhat:rhel_tus:8.4", "package": "python-setuptools-0:39.2.0-6.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:6488", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "python39:3.9-8040020240801180427.63cd9eba", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-09-09T00:00:00Z"}, {"advisory": "RHSA-2024:5078", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "python-setuptools-0:39.2.0-6.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:6220", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "python39:3.9-8060020240801142753.6a631399", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:5040", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "python-setuptools-0:39.2.0-7.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:6220", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "python39:3.9-8060020240801142753.6a631399", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:5040", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "python-setuptools-0:39.2.0-7.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:6220", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "python39:3.9-8060020240801142753.6a631399", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:5040", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "python-setuptools-0:39.2.0-7.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5002", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "python3.11-setuptools-0:65.5.1-2.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5084", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "python39:3.9-8080020240731091048.93c2fc2f", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:5084", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "python39-devel:3.9-8080020240731091048.93c2fc2f", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:5000", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "python-setuptools-0:39.2.0-7.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5279", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.11-setuptools-0:65.5.1-2.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5533", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.12-setuptools-0:68.2.2-3.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:6726", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "fence-agents-0:4.10.0-62.el9_4.5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:5534", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "python-setuptools-0:53.0.0-12.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:6612", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "fence-agents-0:4.10.0-20.el9_0.17", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-09-11T00:00:00Z"}, {"advisory": "RHSA-2024:5389", "cpe": "cpe:/o:redhat:rhel_e4s:9.0", "package": "python-setuptools-0:53.0.0-12.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-08-14T00:00:00Z"}, {"advisory": "RHSA-2024:6312", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "python3.11-setuptools-0:65.5.1-2.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6611", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "fence-agents-0:4.10.0-43.el9_2.9", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-11T00:00:00Z"}, {"advisory": "RHSA-2024:5137", "cpe": "cpe:/o:redhat:rhel_eus:9.2", "package": "python-setuptools-0:53.0.0-12.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/code-rhel8:3.16-20", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/configbump-rhel8:3.16-4", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/dashboard-rhel8:3.16-27", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/devfileregistry-rhel8:3.16-67", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/devspaces-operator-bundle:3.16-70", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/devspaces-rhel8-operator:3.16-11", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/idea-rhel8:3.16-3", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/imagepuller-rhel8:3.16-3", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/machineexec-rhel8:3.16-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/pluginregistry-rhel8:3.16-16", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/server-rhel8:3.16-14", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/traefik-rhel8:3.16-2", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/udi-rhel8:3.16-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}], "bugzilla": {"description": "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools", "id": "2297771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297771"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "A flaw was found in the package_index module of pypa/setuptools. Affected versions of this package allow remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-6345", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-curator5-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "aap-cloud-metrics-collector-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/ansible-builder-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/ee-cloud-services-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/ee-minimal-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/ee-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-lightspeed-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-navigator", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/ceph-nvmeof-cli-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/ceph-nvmeof-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:discovery:1.0::el8", "fix_state": "Not affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-setuptools", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gimp:flatpak/python2-setuptools", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python2-setuptools", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11-setuptools-rust", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.12-setuptools-rust", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3x-setuptools", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-setuptools_scm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11-setuptools-rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.12-setuptools-rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-setuptools_scm", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rhel9/bootc-image-builder", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rhel9/rhel-bootc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-ml-pipelines-api-server-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-ml-pipelines-artifact-manager-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-ml-pipelines-cache-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-ml-pipelines-persistenceagent-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-ml-pipelines-scheduledworkflow-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/cnf-tests-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ztp-site-generate-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Affected", "package_name": "crt-nshift-appliance-tenant/appliance", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-api-server-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-artifact-manager-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-cache-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-ml-pipelines-persistenceagent-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-ml-pipelines-scheduledworkflow-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "python-ImcSdk", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "python-ImcSdk", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "python-ImcSdk", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-setuptools-scm", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "fix_state": "Not affected", "package_name": "stf/prometheus-webhook-snmp", "product_name": "Service Telemetry Framework 1.5 for RHEL 8"}], "public_date": "2024-07-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-6345\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6345\nhttps://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0\nhttps://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5"], "statement": "Red Hat OpenStack does not include setuptools. The ImcSdk component uses it only during compile time in our build systems, and we do not support recompiling SRPMs. As a result, Red Hat OpenStack is not affected by this flaw.", "threat_severity": "Important"}