{"0.2":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.2/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3d9d1e313763bdfb6a48977b65829c6ce2a43eaae29ea2f907c8bbef024a7219","md5":"9eda07c8be7105aa774c7eb51c023294","sha256":"88bb8d029e1bf4acd0e04d300104b7440086f94cc1ce1c5c3c31e3293aee1f81"},"downloads":-1,"filename":"pip-0.2.tar.gz","has_sig":false,"md5_digest":"9eda07c8be7105aa774c7eb51c023294","packagetype":"sdist","python_version":"source","requires_python":null,"size":38734,"upload_time":"2008-10-28T17:22:10","upload_time_iso_8601":"2008-10-28T17:22:10Z","url":"https://files.pythonhosted.org/packages/3d/9d/1e313763bdfb6a48977b65829c6ce2a43eaae29ea2f907c8bbef024a7219/pip-0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.2.1":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.2.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.2.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"18adc0fe6cdfe1643a19ef027c7168572dac6283b80a384ddf21b75b921877da","md5":"d2af655c1a87e03799442d045c1d6743","sha256":"83522005c1266cc2de97e65072ff7554ac0f30ad369c3b02ff3a764b962048da"},"downloads":-1,"filename":"pip-0.2.1.tar.gz","has_sig":false,"md5_digest":"d2af655c1a87e03799442d045c1d6743","packagetype":"sdist","python_version":"source","requires_python":null,"size":39802,"upload_time":"2008-11-17T18:17:56","upload_time_iso_8601":"2008-11-17T18:17:56Z","url":"https://files.pythonhosted.org/packages/18/ad/c0fe6cdfe1643a19ef027c7168572dac6283b80a384ddf21b75b921877da/pip-0.2.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.3":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.3/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"1705f66144ef69b436d07f8eeeb28b7f77137f80de4bf60349ec6f0f9509e801","md5":"8fccb5b49c6377cbfb1949ccd7be43b3","sha256":"183c72455cb7f8860ac1376f8c4f14d7f545aeab8ee7c22cd4caf79f35a2ed47"},"downloads":-1,"filename":"pip-0.3.tar.gz","has_sig":false,"md5_digest":"8fccb5b49c6377cbfb1949ccd7be43b3","packagetype":"sdist","python_version":"source","requires_python":null,"size":47710,"upload_time":"2009-01-21T04:46:30","upload_time_iso_8601":"2009-01-21T04:46:30Z","url":"https://files.pythonhosted.org/packages/17/05/f66144ef69b436d07f8eeeb28b7f77137f80de4bf60349ec6f0f9509e801/pip-0.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.3.1":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.3.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.3.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"0abbd087c9a1415f8726e683791c0b2943c53f2b76e69f527f2e2b2e9f9e7b5c","md5":"78102ddbb040a183dd361b5d432cdf88","sha256":"34ce534f17065c78f980702928e988a6b6b2d8a9851aae5f1571a1feb9bb58d8"},"downloads":-1,"filename":"pip-0.3.1.tar.gz","has_sig":false,"md5_digest":"78102ddbb040a183dd361b5d432cdf88","packagetype":"sdist","python_version":"source","requires_python":null,"size":48486,"upload_time":"2009-01-29T18:19:54","upload_time_iso_8601":"2009-01-29T18:19:54Z","url":"https://files.pythonhosted.org/packages/0a/bb/d087c9a1415f8726e683791c0b2943c53f2b76e69f527f2e2b2e9f9e7b5c/pip-0.3.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.4":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.4/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"cfc3153571aaac6cf999f4bb09c019b1ff379b7b599ea833813a41c784eec995","md5":"b45714d04f8fd38fe8e3d4c7600b91a2","sha256":"28fc67558874f71fddda7168f73595f1650523dce3bc5bf189713ecdfc1e456e"},"downloads":-1,"filename":"pip-0.4.tar.gz","has_sig":false,"md5_digest":"b45714d04f8fd38fe8e3d4c7600b91a2","packagetype":"sdist","python_version":"source","requires_python":null,"size":50238,"upload_time":"2009-05-27T19:46:54","upload_time_iso_8601":"2009-05-27T19:46:54.467565Z","url":"https://files.pythonhosted.org/packages/cf/c3/153571aaac6cf999f4bb09c019b1ff379b7b599ea833813a41c784eec995/pip-0.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.5":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.5/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.5","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"8dc7f05c87812fa5d9562ecbc5f4f1fc1570444f53c81c834a7f662af406e3c1","md5":"63eed8673e40628534cc0aa9c98e8f3d","sha256":"328d8412782f22568508a0d0c78a49c9920a82e44c8dfca49954fe525c152b2a"},"downloads":-1,"filename":"pip-0.5.tar.gz","has_sig":false,"md5_digest":"63eed8673e40628534cc0aa9c98e8f3d","packagetype":"sdist","python_version":"source","requires_python":null,"size":53939,"upload_time":"2009-10-07T22:26:01","upload_time_iso_8601":"2009-10-07T22:26:01.995336Z","url":"https://files.pythonhosted.org/packages/8d/c7/f05c87812fa5d9562ecbc5f4f1fc1570444f53c81c834a7f662af406e3c1/pip-0.5.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.5.1":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.5.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.5.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"9aaaf536b6d14fe03343367da2ff44eee28f340ae650cd017ca088b6be13084a","md5":"d4bdaa5f5f5bf8c6263ace75a0882232","sha256":"e27650538c41fe1007a41abd4cfd0f905b822622cbe1f8e7e09d1215af207694"},"downloads":-1,"filename":"pip-0.5.1.tar.gz","has_sig":false,"md5_digest":"d4bdaa5f5f5bf8c6263ace75a0882232","packagetype":"sdist","python_version":"source","requires_python":null,"size":54633,"upload_time":"2009-10-08T23:14:32","upload_time_iso_8601":"2009-10-08T23:14:32.632843Z","url":"https://files.pythonhosted.org/packages/9a/aa/f536b6d14fe03343367da2ff44eee28f340ae650cd017ca088b6be13084a/pip-0.5.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.6":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.6/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.6","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"dbe6fdf7be8a17b032c533d3f91e91e2c63dd81d3627cbe4113248a00c2d39d8","md5":"083ff408ca5314cf0561ff79a048cd9a","sha256":"4cf47db6815b2f435d1f44e1f35ff04823043f6161f7df9aec71a123b0c47f0d"},"downloads":-1,"filename":"pip-0.6.tar.gz","has_sig":false,"md5_digest":"083ff408ca5314cf0561ff79a048cd9a","packagetype":"sdist","python_version":"source","requires_python":null,"size":64109,"upload_time":"2009-11-10T16:25:40","upload_time_iso_8601":"2009-11-10T16:25:40.840877Z","url":"https://files.pythonhosted.org/packages/db/e6/fdf7be8a17b032c533d3f91e91e2c63dd81d3627cbe4113248a00c2d39d8/pip-0.6.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.6.1":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.6.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.6.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"91cd105f4d3c75d0ae18e12623acc96f42168aaba408dd6e43c4505aa21f8e37","md5":"7560e3055c66afb99ac4a7892389a237","sha256":"efe47e84ffeb0ea4804f9858b8a94bebd07f5452f907ebed36d03aed06a9f9ec"},"downloads":-1,"filename":"pip-0.6.1.tar.gz","has_sig":false,"md5_digest":"7560e3055c66afb99ac4a7892389a237","packagetype":"sdist","python_version":"source","requires_python":null,"size":55299,"upload_time":"2009-11-20T17:31:31","upload_time_iso_8601":"2009-11-20T17:31:31.717781Z","url":"https://files.pythonhosted.org/packages/91/cd/105f4d3c75d0ae18e12623acc96f42168aaba408dd6e43c4505aa21f8e37/pip-0.6.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.6.2":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.6.2/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.6.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"1cc7c0e1a9413c37828faf290f29a85a4d6034c145cc04bf1622ba8beb662ad8","md5":"9a43e0a2ce8833069f41c347932bdb25","sha256":"1c1a504d7e70d2c24246f95bd16e3d5fcec740fd144df69a407bf65a2ee67586"},"downloads":-1,"filename":"pip-0.6.2.tar.gz","has_sig":false,"md5_digest":"9a43e0a2ce8833069f41c347932bdb25","packagetype":"sdist","python_version":"source","requires_python":null,"size":70677,"upload_time":"2010-01-18T21:41:29","upload_time_iso_8601":"2010-01-18T21:41:29.467711Z","url":"https://files.pythonhosted.org/packages/1c/c7/c0e1a9413c37828faf290f29a85a4d6034c145cc04bf1622ba8beb662ad8/pip-0.6.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.6.3":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.6.3/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.6.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3fafc4b9d49fb0f286996b28dbc0955c3ad359794697eb98e0e69863908070b0","md5":"0602fa9179cfaa98e41565d4a581d98c","sha256":"1a6df71eb29b98cba11bde6d6a0d8c6dd8b0518e74ceb71fb31ea4fbb42fd313"},"downloads":-1,"filename":"pip-0.6.3.tar.gz","has_sig":false,"md5_digest":"0602fa9179cfaa98e41565d4a581d98c","packagetype":"sdist","python_version":"source","requires_python":null,"size":71146,"upload_time":"2010-01-21T19:26:46","upload_time_iso_8601":"2010-01-21T19:26:46.380870Z","url":"https://files.pythonhosted.org/packages/3f/af/c4b9d49fb0f286996b28dbc0955c3ad359794697eb98e0e69863908070b0/pip-0.6.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.7":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.7/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.7","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"ec7a6fe91ff0079ad0437830957c459d52f3923e516f5b453218f2a93d09a427","md5":"8d4b4f7266fe0808569182e6832d74ac","sha256":"ceaea0b9e494d893c8a191895301b79c1db33e41f14d3ad93e3d28a8b4e9bf27"},"downloads":-1,"filename":"pip-0.7.tar.gz","has_sig":false,"md5_digest":"8d4b4f7266fe0808569182e6832d74ac","packagetype":"sdist","python_version":"source","requires_python":null,"size":68510,"upload_time":"2010-04-16T22:13:49","upload_time_iso_8601":"2010-04-16T22:13:49.488007Z","url":"https://files.pythonhosted.org/packages/ec/7a/6fe91ff0079ad0437830957c459d52f3923e516f5b453218f2a93d09a427/pip-0.7.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.7.1":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.7.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.7.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"a56311303863c2f5e9d9a15d89fcf7513a4b60987007d418862e0fb65c09fff7","md5":"420c83ad67bdcb542f772eb64392cce6","sha256":"f54f05aa17edd0036de433c44892c8fedb1fd2871c97829838feb995818d24c3"},"downloads":-1,"filename":"pip-0.7.1.tar.gz","has_sig":false,"md5_digest":"420c83ad67bdcb542f772eb64392cce6","packagetype":"sdist","python_version":"source","requires_python":null,"size":82468,"upload_time":"2010-04-22T09:58:13","upload_time_iso_8601":"2010-04-22T09:58:13.668830Z","url":"https://files.pythonhosted.org/packages/a5/63/11303863c2f5e9d9a15d89fcf7513a4b60987007d418862e0fb65c09fff7/pip-0.7.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.7.2":{"info":{"author":"The Open Planning Project","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.7.2/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.7.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"cda91debaa96bbc1005c1c8ad3b79fec58c198d35121546ea2e858ce0894268a","md5":"cfe73090aaa0d3b0c104179a627859d1","sha256":"98df2eb779358412bbbae75980171ae85deebc846d87e244d086520b1212da09"},"downloads":-1,"filename":"pip-0.7.2.tar.gz","has_sig":false,"md5_digest":"cfe73090aaa0d3b0c104179a627859d1","packagetype":"sdist","python_version":"source","requires_python":null,"size":68698,"upload_time":"2010-05-27T23:57:27","upload_time_iso_8601":"2010-05-27T23:57:27.369130Z","url":"https://files.pythonhosted.org/packages/cd/a9/1debaa96bbc1005c1c8ad3b79fec58c198d35121546ea2e858ce0894268a/pip-0.7.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.8":{"info":{"author":"Ian Bicking","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.8/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.8","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"7454f785c327fb3d163560a879b36edae5c78ee07806be282c9d4807f6be7dd1","md5":"468d9adc309f33ad51cee38f0d455429","sha256":"9017e4484a212dd4e1a43dd9f039dd7fc8338d4eea1c339d5ae1c80726de5b0f"},"downloads":-1,"filename":"pip-0.8.tar.gz","has_sig":false,"md5_digest":"468d9adc309f33ad51cee38f0d455429","packagetype":"sdist","python_version":"source","requires_python":null,"size":98347,"upload_time":"2010-08-03T20:03:43","upload_time_iso_8601":"2010-08-03T20:03:43.850429Z","url":"https://files.pythonhosted.org/packages/74/54/f785c327fb3d163560a879b36edae5c78ee07806be282c9d4807f6be7dd1/pip-0.8.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.8.1":{"info":{"author":"Ian Bicking","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.8.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.8.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5c795e8381cc3078bae92166f2ba96de8355e8c181926505ba8882f7b099a500","md5":"5d40614774781b118dd3f10c0d038cbc","sha256":"7176a87f35675f6468341212f3b959bb51d23ea66eb1c3692bf746c45c716fa2"},"downloads":-1,"filename":"pip-0.8.1.tar.gz","has_sig":false,"md5_digest":"5d40614774781b118dd3f10c0d038cbc","packagetype":"sdist","python_version":"source","requires_python":null,"size":105248,"upload_time":"2010-09-14T18:40:51","upload_time_iso_8601":"2010-09-14T18:40:51.780302Z","url":"https://files.pythonhosted.org/packages/5c/79/5e8381cc3078bae92166f2ba96de8355e8c181926505ba8882f7b099a500/pip-0.8.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.8.2":{"info":{"author":"Ian Bicking","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://pip.openplans.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://pip.openplans.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.8.2/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.8.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"173e0a98ab032991518741e7e712a719633e6ae160f51b3d3e855194530fd308","md5":"df1eca0abe7643d92b5222240bed15f6","sha256":"f80a3549c048bc3bbcb47844826e9c7c6fcd87e77b92bef0d9e66d1b397c4962"},"downloads":-1,"filename":"pip-0.8.2.tar.gz","has_sig":false,"md5_digest":"df1eca0abe7643d92b5222240bed15f6","packagetype":"sdist","python_version":"source","requires_python":null,"size":106126,"upload_time":"2010-11-29T19:24:08","upload_time_iso_8601":"2010-11-29T19:24:08.262456Z","url":"https://files.pythonhosted.org/packages/17/3e/0a98ab032991518741e7e712a719633e6ae160f51b3d3e855194530fd308/pip-0.8.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"0.8.3":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 4 - Beta","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/0.8.3/","requires_dist":null,"requires_python":null,"summary":"pip installs packages.  Python packages.  An easy_install replacement","version":"0.8.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"f79a943fc6d879ed7220bac2e7e53096bfe78abec88d77f2f516400e0129679e","md5":"0603337a81f83df2b1d2f1151565efac","sha256":"1be2e18edd38aa75b5e4ef38a99ec33ba9247177cfcb4a6d2d2b3e73430e3001"},"downloads":-1,"filename":"pip-0.8.3.tar.gz","has_sig":false,"md5_digest":"0603337a81f83df2b1d2f1151565efac","packagetype":"sdist","python_version":"source","requires_python":null,"size":107684,"upload_time":"2011-03-12T21:17:26","upload_time_iso_8601":"2011-03-12T21:17:26.596004Z","url":"https://files.pythonhosted.org/packages/f7/9a/943fc6d879ed7220bac2e7e53096bfe78abec88d77f2f516400e0129679e/pip-0.8.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.0/","requires_dist":null,"requires_python":null,"summary":"pip installs packages. Python packages. An easy_install replacement","version":"1.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"24336eb675fb6db7b71d69d6928b33dea61b8bf5cfe1e5649be70ec84ce2fc09","md5":"327fc4a03df189506966e15021730550","sha256":"34ba07e2d14ba86d5088ba896ac80bed845a9b276ab8acb279b8d99bc77fec8e"},"downloads":-1,"filename":"pip-1.0.tar.gz","has_sig":false,"md5_digest":"327fc4a03df189506966e15021730550","packagetype":"sdist","python_version":"source","requires_python":null,"size":100102,"upload_time":"2011-04-04T19:45:15","upload_time_iso_8601":"2011-04-04T19:45:15.450334Z","url":"https://files.pythonhosted.org/packages/24/33/6eb675fb6db7b71d69d6928b33dea61b8bf5cfe1e5649be70ec84ce2fc09/pip-1.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.0.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.0.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages. Python packages. An easy_install replacement","version":"1.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"10d9f584e6107ef98ad7eaaaa5d0f756bfee12561fa6a4712ffdb7209e0e1fd4","md5":"28dcc70225e5bf925532abc5b087a94b","sha256":"37d2f18213d3845d2038dd3686bc71fc12bb41ad66c945a8b0dfec2879f3497b"},"downloads":-1,"filename":"pip-1.0.1.tar.gz","has_sig":false,"md5_digest":"28dcc70225e5bf925532abc5b087a94b","packagetype":"sdist","python_version":"source","requires_python":null,"size":104767,"upload_time":"2011-04-30T23:20:23","upload_time_iso_8601":"2011-04-30T23:20:23.151103Z","url":"https://files.pythonhosted.org/packages/10/d9/f584e6107ef98ad7eaaaa5d0f756bfee12561fa6a4712ffdb7209e0e1fd4/pip-1.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.0.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.0.2/","requires_dist":null,"requires_python":null,"summary":"pip installs packages. Python packages. An easy_install replacement","version":"1.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"16905e6f80364d8a656f60681dfb7330298edef292d43e1499bcb3a4c71ff0b9","md5":"47ec6ff3f6d962696fe08d4c8264ad49","sha256":"a6ed9b36aac2f121c01a2c9e0307a9e4d9438d100a407db701ac65479a3335d2"},"downloads":-1,"filename":"pip-1.0.2.tar.gz","has_sig":false,"md5_digest":"47ec6ff3f6d962696fe08d4c8264ad49","packagetype":"sdist","python_version":"source","requires_python":null,"size":105820,"upload_time":"2011-07-16T16:52:11","upload_time_iso_8601":"2011-07-16T16:52:11.604727Z","url":"https://files.pythonhosted.org/packages/16/90/5e6f80364d8a656f60681dfb7330298edef292d43e1499bcb3a4c71ff0b9/pip-1.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.4","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages. Python packages. An easy_install replacement","version":"1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"25570d42cf5307d79913a082c5c4397d46f3793bc35e1138a694136d6e31be99","md5":"62a9f08dd5dc69d76734568a6c040508","sha256":"993804bb947d18508acee02141281c77d27677f8c14eaa64d6287a1c53ef01c8"},"downloads":-1,"filename":"pip-1.1.tar.gz","has_sig":false,"md5_digest":"62a9f08dd5dc69d76734568a6c040508","packagetype":"sdist","python_version":"source","requires_python":null,"size":95197,"upload_time":"2012-02-16T21:08:04","upload_time_iso_8601":"2012-02-16T21:08:04.040768Z","url":"https://files.pythonhosted.org/packages/25/57/0d42cf5307d79913a082c5c4397d46f3793bc35e1138a694136d6e31be99/pip-1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.2/","requires_dist":null,"requires_python":null,"summary":"pip installs packages. Python packages. An easy_install replacement","version":"1.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"bac34e1f892f41aaa217fe0d1f827fa05928783349c69f3cc06fdd68e112678a","md5":"99e44d1d7f88b182459e7c19c45aee9f","sha256":"2b168f1987403f1dc6996a1f22a6f6637b751b7ab6ff27e78380b8d6e70aa314"},"downloads":-1,"filename":"pip-1.2.tar.gz","has_sig":false,"md5_digest":"99e44d1d7f88b182459e7c19c45aee9f","packagetype":"sdist","python_version":"source","requires_python":null,"size":94455,"upload_time":"2012-09-01T20:00:19","upload_time_iso_8601":"2012-09-01T20:00:19.003287Z","url":"https://files.pythonhosted.org/packages/ba/c3/4e1f892f41aaa217fe0d1f827fa05928783349c69f3cc06fdd68e112678a/pip-1.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.2.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.2.1/","requires_dist":null,"requires_python":null,"summary":"pip installs packages. Python packages. An easy_install replacement","version":"1.2.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"c3a2a63244da32afd9ce9a8ca1bd86e71610039adea8b8314046ebe5047527a6","md5":"db8a6d8a4564d3dc7f337ebed67b1a85","sha256":"12a9302acfca62cdc7bc5d83386cac3e0581db61ac39acdb3a4e766a16b88eb1"},"downloads":-1,"filename":"pip-1.2.1.tar.gz","has_sig":false,"md5_digest":"db8a6d8a4564d3dc7f337ebed67b1a85","packagetype":"sdist","python_version":"source","requires_python":null,"size":102413,"upload_time":"2012-09-06T08:30:42","upload_time_iso_8601":"2012-09-06T08:30:42.709931Z","url":"https://files.pythonhosted.org/packages/c3/a2/a63244da32afd9ce9a8ca1bd86e71610039adea8b8314046ebe5047527a6/pip-1.2.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629","GHSA-g3p5-fjj9-h8gj"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"PYSEC-2013-8","link":"https://osv.dev/vulnerability/PYSEC-2013-8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888","GHSA-4gv5-qhvr-36vv"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"PYSEC-2013-9","link":"https://osv.dev/vulnerability/PYSEC-2013-9","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1888"],"details":"pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.","fixed_in":["1.3"],"id":"GHSA-4gv5-qhvr-36vv","link":"https://osv.dev/vulnerability/GHSA-4gv5-qhvr-36vv","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-1629"],"details":"pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.","fixed_in":["1.3"],"id":"GHSA-g3p5-fjj9-h8gj","link":"https://osv.dev/vulnerability/GHSA-g3p5-fjj9-h8gj","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.3":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.3/","requires_dist":null,"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"004569d4f2602b80550bfb26cfd2f62c2f05b3b5c7352705d3766cd1e5b27648","md5":"918559b784e2aca9559d498050bb86e7","sha256":"d6a13c5be316cb21a0243047c7f163f47e88973ebccff8d32e63ca1bf4d9321c"},"downloads":-1,"filename":"pip-1.3.tar.gz","has_sig":false,"md5_digest":"918559b784e2aca9559d498050bb86e7","packagetype":"sdist","python_version":"source","requires_python":null,"size":247401,"upload_time":"2013-03-07T21:38:47","upload_time_iso_8601":"2013-03-07T21:38:47.856575Z","url":"https://files.pythonhosted.org/packages/00/45/69d4f2602b80550bfb26cfd2f62c2f05b3b5c7352705d3766cd1e5b27648/pip-1.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.3.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.3.1/","requires_dist":null,"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.3.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5bcef5b98104f1c10d868936c25f7c597f492d4371aa9ad5fb61a94954ee7208","md5":"cbb27a191cebc58997c4da8513863153","sha256":"145eaa5d1ea1b062663da1f3a97780d7edea4c63c68a37c463b1deedf7bb4957"},"downloads":-1,"filename":"pip-1.3.1.tar.gz","has_sig":false,"md5_digest":"cbb27a191cebc58997c4da8513863153","packagetype":"sdist","python_version":"source","requires_python":null,"size":247594,"upload_time":"2013-03-07T23:15:15","upload_time_iso_8601":"2013-03-07T23:15:15.627713Z","url":"https://files.pythonhosted.org/packages/5b/ce/f5b98104f1c10d868936c25f7c597f492d4371aa9ad5fb61a94954ee7208/pip-1.3.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.4":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.4/","requires_dist":null,"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5fd03b3958f6a58783bae44158b2c4c7827ae89abaecdd4bed12cff402620b9a","md5":"ca790be30004937987767eac42cfa44a","sha256":"1fd43cbf07d95ddcecbb795c97a1674b3ddb711bb4a67661284a5aa765aa1b97"},"downloads":-1,"filename":"pip-1.4.tar.gz","has_sig":false,"md5_digest":"ca790be30004937987767eac42cfa44a","packagetype":"sdist","python_version":"source","requires_python":null,"size":443790,"upload_time":"2013-07-23T20:59:34","upload_time_iso_8601":"2013-07-23T20:59:34.269840Z","url":"https://files.pythonhosted.org/packages/5f/d0/3b3958f6a58783bae44158b2c4c7827ae89abaecdd4bed12cff402620b9a/pip-1.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.4.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.5","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"UNKNOWN","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Download":"UNKNOWN","Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.4.1/","requires_dist":null,"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.4.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3ff8da390e0df72fb61d176b25a4b95262e3dcc14bda0ad25ac64d56db38b667","md5":"6afbb46aeb48abac658d4df742bff714","sha256":"4e7a06554711a624c35d0c646f63674b7f6bfc7f80221bf1eb1f631bd890d04e"},"downloads":-1,"filename":"pip-1.4.1.tar.gz","has_sig":false,"md5_digest":"6afbb46aeb48abac658d4df742bff714","packagetype":"sdist","python_version":"source","requires_python":null,"size":445199,"upload_time":"2013-08-08T01:12:00","upload_time_iso_8601":"2013-08-08T01:12:00.193927Z","url":"https://files.pythonhosted.org/packages/3f/f8/da390e0df72fb61d176b25a4b95262e3dcc14bda0ad25ac64d56db38b667/pip-1.4.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2013-5123","GHSA-c5h8-cq4v-cvfm"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"PYSEC-2019-160","link":"https://osv.dev/vulnerability/PYSEC-2019-160","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2013-5123"],"details":"The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.","fixed_in":["1.5"],"id":"GHSA-c5h8-cq4v-cvfm","link":"https://osv.dev/vulnerability/GHSA-c5h8-cq4v-cvfm","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.5":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.5/","requires_dist":null,"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.5","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"4f7de53bc80667378125a9e07d4929a61b0bd7128a1129dbe6f07bb3228652a3","md5":"6969b8a8adc4c7f7c5eb1707118f0686","sha256":"25f81d1a0e55d3b1709818dd57fdfb954b028f229f09bd69cb0bc80a8e03e048"},"downloads":-1,"filename":"pip-1.5.tar.gz","has_sig":false,"md5_digest":"6969b8a8adc4c7f7c5eb1707118f0686","packagetype":"sdist","python_version":"source","requires_python":null,"size":898803,"upload_time":"2014-01-02T13:54:21","upload_time_iso_8601":"2014-01-02T13:54:21.142722Z","url":"https://files.pythonhosted.org/packages/4f/7d/e53bc80667378125a9e07d4929a61b0bd7128a1129dbe6f07bb3228652a3/pip-1.5.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.5.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.5.1/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.5.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"445d1dca53b5de6d287e7eb99bd174bb022eb6cb0d6ca6e19ca6b16655dde8c2","md5":"237164a09943d823b954bb9e1b2a8f67","sha256":"00960db3b0b8724dd37fe37cfb9c72ecb8f59fab9db7d17c5c1e89a1adab49ce"},"downloads":-1,"filename":"pip-1.5.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"237164a09943d823b954bb9e1b2a8f67","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1166177,"upload_time":"2014-01-21T03:45:41","upload_time_iso_8601":"2014-01-21T03:45:41.381865Z","url":"https://files.pythonhosted.org/packages/44/5d/1dca53b5de6d287e7eb99bd174bb022eb6cb0d6ca6e19ca6b16655dde8c2/pip-1.5.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"213fd86a600c9b2f41a75caacf768a24130f343def97652de2345da15ef7911f","md5":"4678c2ae5cce4e9234c3923d7dcb32f0","sha256":"e60e936fbc101d56668c6134c1f2b5b40fcbec8b4fc4ca7fc34842b6b4c5c130"},"downloads":-1,"filename":"pip-1.5.1.tar.gz","has_sig":false,"md5_digest":"4678c2ae5cce4e9234c3923d7dcb32f0","packagetype":"sdist","python_version":"source","requires_python":null,"size":1078467,"upload_time":"2014-01-21T03:45:43","upload_time_iso_8601":"2014-01-21T03:45:43.956185Z","url":"https://files.pythonhosted.org/packages/21/3f/d86a600c9b2f41a75caacf768a24130f343def97652de2345da15ef7911f/pip-1.5.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.5.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.5.2/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.5.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3d1f227d77d5e9ed2df5162de4ba3616799a351eccb1ecd668ae824dd26153a1","md5":"445a893564065937c0f31ac2cc8e2f35","sha256":"6903909ccdcdbc3297b74118590e71344d6d262827acd1f5c0e2fcfce9807499"},"downloads":-1,"filename":"pip-1.5.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"445a893564065937c0f31ac2cc8e2f35","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1167543,"upload_time":"2014-01-26T05:13:15","upload_time_iso_8601":"2014-01-26T05:13:15.543443Z","url":"https://files.pythonhosted.org/packages/3d/1f/227d77d5e9ed2df5162de4ba3616799a351eccb1ecd668ae824dd26153a1/pip-1.5.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ed94391a003107f6ec997c314199d03bff1c105af758ee490e3255353574487b","md5":"5da30919f732d68b1c666e484e7676f5","sha256":"2a8a3e08e652d3a40edbb39264bf01f8ff3c32520a79113357cca1f30533f738"},"downloads":-1,"filename":"pip-1.5.2.tar.gz","has_sig":false,"md5_digest":"5da30919f732d68b1c666e484e7676f5","packagetype":"sdist","python_version":"source","requires_python":null,"size":1079904,"upload_time":"2014-01-26T05:13:19","upload_time_iso_8601":"2014-01-26T05:13:19.697617Z","url":"https://files.pythonhosted.org/packages/ed/94/391a003107f6ec997c314199d03bff1c105af758ee490e3255353574487b/pip-1.5.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.5.3":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.5.3/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.5.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"dfe9bdb53d44fad1465b43edaf6bc7dd3027ed5af81405cc97603fdff0721ebb","md5":"78126f6352f3d5f29d077be0aa7f9efa","sha256":"f0037aed3ce6cf96b9e9117d42e967a74bea9ebe19088a2fdea5de93d5762fee"},"downloads":-1,"filename":"pip-1.5.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"78126f6352f3d5f29d077be0aa7f9efa","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1169264,"upload_time":"2014-02-21T01:12:43","upload_time_iso_8601":"2014-02-21T01:12:43.258172Z","url":"https://files.pythonhosted.org/packages/df/e9/bdb53d44fad1465b43edaf6bc7dd3027ed5af81405cc97603fdff0721ebb/pip-1.5.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"55de671a48ad313c808623041fc475f7c8f7610401d9f573f06b40eeb84e74e3","md5":"78871c5f84ea5fca61900347ce7864ad","sha256":"dc53b4d28b88556a37cd73052b6d1d08cc644c6724e37c4d38a2e3c03c5440b2"},"downloads":-1,"filename":"pip-1.5.3.tar.gz","has_sig":false,"md5_digest":"78871c5f84ea5fca61900347ce7864ad","packagetype":"sdist","python_version":"source","requires_python":null,"size":1081890,"upload_time":"2014-02-21T01:12:46","upload_time_iso_8601":"2014-02-21T01:12:46.847075Z","url":"https://files.pythonhosted.org/packages/55/de/671a48ad313c808623041fc475f7c8f7610401d9f573f06b40eeb84e74e3/pip-1.5.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.5.4":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"http://www.pip-installer.org","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"http://www.pip-installer.org"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.5.4/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.5.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"a99a9aa19fe00de4c025562e5fb3796ff8520165a7dd1a5662c6ec9816e1ae99","md5":"f20bc8f31e322375ce06b26d73ce7b4f","sha256":"fb7282556a42e84464f2e963a859ac4012d8134ba6218b70c1d82d145fcfa82f"},"downloads":-1,"filename":"pip-1.5.4-py2.py3-none-any.whl","has_sig":false,"md5_digest":"f20bc8f31e322375ce06b26d73ce7b4f","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1169272,"upload_time":"2014-02-21T12:19:16","upload_time_iso_8601":"2014-02-21T12:19:16.292977Z","url":"https://files.pythonhosted.org/packages/a9/9a/9aa19fe00de4c025562e5fb3796ff8520165a7dd1a5662c6ec9816e1ae99/pip-1.5.4-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"78d86e58a7130d457edadb753a0ea5708e411c100c7e94e72ad4802feeef735c","md5":"834b2904f92d46aaa333267fb1c922bb","sha256":"70208a250bb4afdbbdd74c3ac35d4ab9ba1eb6852d02567a6a87f2f5104e30b9"},"downloads":-1,"filename":"pip-1.5.4.tar.gz","has_sig":false,"md5_digest":"834b2904f92d46aaa333267fb1c922bb","packagetype":"sdist","python_version":"source","requires_python":null,"size":1081874,"upload_time":"2014-02-21T12:19:19","upload_time_iso_8601":"2014-02-21T12:19:19.196866Z","url":"https://files.pythonhosted.org/packages/78/d8/6e58a7130d457edadb753a0ea5708e411c100c7e94e72ad4802feeef735c/pip-1.5.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.5.5":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.5.5/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.5.5","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"cec210d996b9c51b126a9f0bb9e14a9edcdd5c88888323c0685bb9b392b6c47c","md5":"03a932d6f82a3887d8de1cdb837c87ed","sha256":"fe7a5808190067b2598d85def9b83db46e5d64a00848ad843e107c36e1db4ae6"},"downloads":-1,"filename":"pip-1.5.5-py2.py3-none-any.whl","has_sig":false,"md5_digest":"03a932d6f82a3887d8de1cdb837c87ed","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1173434,"upload_time":"2014-05-03T06:26:46","upload_time_iso_8601":"2014-05-03T06:26:46.261575Z","url":"https://files.pythonhosted.org/packages/ce/c2/10d996b9c51b126a9f0bb9e14a9edcdd5c88888323c0685bb9b392b6c47c/pip-1.5.5-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"8801a442fde40bd9aaf837612536f16ab751fac628807fd718690795b8ade77d","md5":"7520581ba0687dec1ce85bd15496537b","sha256":"4b7f5124364ae9b5ba833dcd8813a84c1c06fba1d7c8543323c7af4b33188eca"},"downloads":-1,"filename":"pip-1.5.5.tar.gz","has_sig":false,"md5_digest":"7520581ba0687dec1ce85bd15496537b","packagetype":"sdist","python_version":"source","requires_python":null,"size":1084356,"upload_time":"2014-05-03T06:26:49","upload_time_iso_8601":"2014-05-03T06:26:49.668653Z","url":"https://files.pythonhosted.org/packages/88/01/a442fde40bd9aaf837612536f16ab751fac628807fd718690795b8ade77d/pip-1.5.5.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"1.5.6":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.1","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/1.5.6/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"A tool for installing and managing Python packages.","version":"1.5.6","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3f087347ca4021e7fe0f1ab8f93cbc7d2a7a7350012300ad0e0227d55625e2b8","md5":"4d4fb4b69df6731c7aeaadd6300bc1f2","sha256":"fbc1351ffedf09ca7560428758845a88d648b9730b63ce9e5df53a7c89f039a4"},"downloads":-1,"filename":"pip-1.5.6-py2.py3-none-any.whl","has_sig":false,"md5_digest":"4d4fb4b69df6731c7aeaadd6300bc1f2","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1002021,"upload_time":"2014-05-17T02:43:12","upload_time_iso_8601":"2014-05-17T02:43:12.301468Z","url":"https://files.pythonhosted.org/packages/3f/08/7347ca4021e7fe0f1ab8f93cbc7d2a7a7350012300ad0e0227d55625e2b8/pip-1.5.6-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"45db4fb9a456b4ec4d3b701456ef562b9d72d76b6358e0c1463d17db18c5b772","md5":"01026f87978932060cc86c1dc527903e","sha256":"b1a4ae66baf21b7eb05a5e4f37c50c2706fa28ea1f8780ce8efe14dcd9f1726c"},"downloads":-1,"filename":"pip-1.5.6.tar.gz","has_sig":false,"md5_digest":"01026f87978932060cc86c1dc527903e","packagetype":"sdist","python_version":"source","requires_python":null,"size":938120,"upload_time":"2014-05-17T02:43:15","upload_time_iso_8601":"2014-05-17T02:43:15.542077Z","url":"https://files.pythonhosted.org/packages/45/db/4fb9a456b4ec4d3b701456ef562b9d72d76b6358e0c1463d17db18c5b772/pip-1.5.6.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.","fixed_in":["6.0"],"id":"PYSEC-2014-11","link":"https://osv.dev/vulnerability/PYSEC-2014-11","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2014-8991"],"details":"pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a `/tmp/pip-build-*` file for another user.","fixed_in":["6.0"],"id":"GHSA-53mr-44pp-crf4","link":"https://osv.dev/vulnerability/GHSA-53mr-44pp-crf4","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"10.0.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/10.0.0/","requires_dist":["pytest; extra == 'testing'","mock; extra == 'testing'","pretend; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","freezegun; extra == 'testing'"],"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"10.0.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"62a10d452b6901b0157a0134fd27ba89bf95a857fbda64ba52e1ca2cf61d8412","md5":"be3e30acf78a44cd750bf2db0912c701","sha256":"86a60a96d85e329962a9e6f6af612cbc11106293dbc83f119802b5bee9874cf3"},"downloads":-1,"filename":"pip-10.0.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"be3e30acf78a44cd750bf2db0912c701","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1306819,"upload_time":"2018-04-14T11:38:05","upload_time_iso_8601":"2018-04-14T11:38:05.342706Z","url":"https://files.pythonhosted.org/packages/62/a1/0d452b6901b0157a0134fd27ba89bf95a857fbda64ba52e1ca2cf61d8412/pip-10.0.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"e069983a8e47d3dfb51e1463c1e962b2ccd1d74ec4e236e232625e353d830ed2","md5":"db30b70bd091004e88e752e8f16b5e74","sha256":"f05a3eeea64bce94e85cc6671d679473d66288a4d37c3fcf983584954096b34f"},"downloads":-1,"filename":"pip-10.0.0.tar.gz","has_sig":false,"md5_digest":"db30b70bd091004e88e752e8f16b5e74","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1245078,"upload_time":"2018-04-14T11:38:09","upload_time_iso_8601":"2018-04-14T11:38:09.539167Z","url":"https://files.pythonhosted.org/packages/e0/69/983a8e47d3dfb51e1463c1e962b2ccd1d74ec4e236e232625e353d830ed2/pip-10.0.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"10.0.0b1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/10.0.0b1/","requires_dist":["pytest; extra == 'testing'","mock; extra == 'testing'","pretend; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","freezegun; extra == 'testing'"],"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"10.0.0b1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"4b5a8544ae02a5bd28464e03af045e8aabde20a7b02db1911a9159328e1eb25a","md5":"34dd54590477e79bc681d9ff96b9fd39","sha256":"dbd5d24cd461be23429625085a36cc8732cbcac4d2aaf673031f80f6ac07d844"},"downloads":-1,"filename":"pip-10.0.0b1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"34dd54590477e79bc681d9ff96b9fd39","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1310836,"upload_time":"2018-03-31T10:46:11","upload_time_iso_8601":"2018-03-31T10:46:11.450765Z","url":"https://files.pythonhosted.org/packages/4b/5a/8544ae02a5bd28464e03af045e8aabde20a7b02db1911a9159328e1eb25a/pip-10.0.0b1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"aa6dffbb86abf18b750fb26f27eda7c7732df2aacaa669c420d2eb2ad6df3458","md5":"29f13df96ba340c6f7a6577eb89963e5","sha256":"8d6e63d8b99752e4b53f272b66f9cd7b59e2b288e9a863a61c48d167203a2656"},"downloads":-1,"filename":"pip-10.0.0b1.tar.gz","has_sig":false,"md5_digest":"29f13df96ba340c6f7a6577eb89963e5","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1246649,"upload_time":"2018-03-31T10:46:15","upload_time_iso_8601":"2018-03-31T10:46:15.650560Z","url":"https://files.pythonhosted.org/packages/aa/6d/ffbb86abf18b750fb26f27eda7c7732df2aacaa669c420d2eb2ad6df3458/pip-10.0.0b1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"10.0.0b2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/10.0.0b2/","requires_dist":["pytest; extra == 'testing'","mock; extra == 'testing'","pretend; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","freezegun; extra == 'testing'"],"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"10.0.0b2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"97721d514201e7d7fc7fff5aac3de9c7b892cd72fb4bf23fd983630df96f7412","md5":"2671150c78981971c1dfbd175a42139c","sha256":"79f55588912f1b2b4f86f96f11e329bb01b25a484e2204f245128b927b1038a7"},"downloads":-1,"filename":"pip-10.0.0b2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"2671150c78981971c1dfbd175a42139c","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1308393,"upload_time":"2018-04-02T13:05:06","upload_time_iso_8601":"2018-04-02T13:05:06.489157Z","url":"https://files.pythonhosted.org/packages/97/72/1d514201e7d7fc7fff5aac3de9c7b892cd72fb4bf23fd983630df96f7412/pip-10.0.0b2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"3267572f642e6e42c580d3154964cfbab7d9322c23b0f417c6c01fdd206a2777","md5":"cbfc1208d00bb72aba19431a7bb4afd5","sha256":"ad6adec2150ce4aed8f6134d9b77d928fc848dbcb887fb1a455988cf99da5cae"},"downloads":-1,"filename":"pip-10.0.0b2.tar.gz","has_sig":false,"md5_digest":"cbfc1208d00bb72aba19431a7bb4afd5","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1244190,"upload_time":"2018-04-02T13:05:09","upload_time_iso_8601":"2018-04-02T13:05:09.976830Z","url":"https://files.pythonhosted.org/packages/32/67/572f642e6e42c580d3154964cfbab7d9322c23b0f417c6c01fdd206a2777/pip-10.0.0b2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"10.0.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/10.0.1/","requires_dist":["pytest; extra == 'testing'","mock; extra == 'testing'","pretend; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","freezegun; extra == 'testing'"],"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"10.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"0f74ecd13431bcc456ed390b44c8a6e917c1820365cbebcb6a8974d1cd045ab4","md5":"eb92c86bfda9cde5e082a1fd76f1e627","sha256":"717cdffb2833be8409433a93746744b59505f42146e8d37de6c62b430e25d6d7"},"downloads":-1,"filename":"pip-10.0.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"eb92c86bfda9cde5e082a1fd76f1e627","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1307639,"upload_time":"2018-04-19T18:56:05","upload_time_iso_8601":"2018-04-19T18:56:05.963596Z","url":"https://files.pythonhosted.org/packages/0f/74/ecd13431bcc456ed390b44c8a6e917c1820365cbebcb6a8974d1cd045ab4/pip-10.0.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"aee82340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02","md5":"83a177756e2c801d0b3a6f7b0d4f3f7e","sha256":"f2bd08e0cd1b06e10218feaf6fef299f473ba706582eb3bd9d52203fdbd7ee68"},"downloads":-1,"filename":"pip-10.0.1.tar.gz","has_sig":false,"md5_digest":"83a177756e2c801d0b3a6f7b0d4f3f7e","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*","size":1246072,"upload_time":"2018-04-19T18:56:09","upload_time_iso_8601":"2018-04-19T18:56:09.474691Z","url":"https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"18.0":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/18.0/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"18.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5f25e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940","md5":"a4b47b6534f83ed621e757e9906b030f","sha256":"070e4bf493c7c2c9f6a08dd797dd3c066d64074c38e9e8a0fb4e6541f266d96c"},"downloads":-1,"filename":"pip-18.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"a4b47b6534f83ed621e757e9906b030f","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1307744,"upload_time":"2018-07-22T07:53:50","upload_time_iso_8601":"2018-07-22T07:53:50.674612Z","url":"https://files.pythonhosted.org/packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"698152b68d0a4de760a2f1979b0931ba7889202f302072cc7a0d614211bc7579","md5":"52f75ceb21e96c258f289859a2996b60","sha256":"a0e11645ee37c90b40c46d607070c4fd583e2cd46231b1c06e389c5e814eed76"},"downloads":-1,"filename":"pip-18.0.tar.gz","has_sig":false,"md5_digest":"52f75ceb21e96c258f289859a2996b60","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1249656,"upload_time":"2018-07-22T07:53:57","upload_time_iso_8601":"2018-07-22T07:53:57.845525Z","url":"https://files.pythonhosted.org/packages/69/81/52b68d0a4de760a2f1979b0931ba7889202f302072cc7a0d614211bc7579/pip-18.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"18.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/18.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"18.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"c2d790f34cb0d83a6c5631cf71dfe64cc1054598c843a92b400e55675cc2ac37","md5":"2fba06061e2274c00c67804f6ddef15e","sha256":"7909d0a0932e88ea53a7014dfd14522ffef91a464daaaf5c573343852ef98550"},"downloads":-1,"filename":"pip-18.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"2fba06061e2274c00c67804f6ddef15e","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1323545,"upload_time":"2018-10-05T11:20:31","upload_time_iso_8601":"2018-10-05T11:20:31.340485Z","url":"https://files.pythonhosted.org/packages/c2/d7/90f34cb0d83a6c5631cf71dfe64cc1054598c843a92b400e55675cc2ac37/pip-18.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"45ae8a0ad77defb7cc903f09e551d88b443304a9bd6e6f124e75c0fbbf6de8f7","md5":"75cad449ad62c88b22de317a26781714","sha256":"c0a292bd977ef590379a3f05d7b7f65135487b67470f6281289a94e015650ea1"},"downloads":-1,"filename":"pip-18.1.tar.gz","has_sig":false,"md5_digest":"75cad449ad62c88b22de317a26781714","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1259370,"upload_time":"2018-10-05T11:20:45","upload_time_iso_8601":"2018-10-05T11:20:45.301430Z","url":"https://files.pythonhosted.org/packages/45/ae/8a0ad77defb7cc903f09e551d88b443304a9bd6e6f124e75c0fbbf6de8f7/pip-18.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.0":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.0/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"606473b729587b6b0d13e690a7c3acd2231ee561e8dd28a58ae1b0409a5a2b20","md5":"aba90d9915a7137bb84c6d312e7f68d8","sha256":"249ab0de4c1cef3dba4cf3f8cca722a07fc447b1692acd9f84e19c646db04c9a"},"downloads":-1,"filename":"pip-19.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"aba90d9915a7137bb84c6d312e7f68d8","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1354391,"upload_time":"2019-01-22T19:19:22","upload_time_iso_8601":"2019-01-22T19:19:22.546661Z","url":"https://files.pythonhosted.org/packages/60/64/73b729587b6b0d13e690a7c3acd2231ee561e8dd28a58ae1b0409a5a2b20/pip-19.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"1131c483614095176ddfa06ac99c2af4171375053b270842c7865ca0b4438dc1","md5":"76b4afbe326ef31992d3230bb104ff90","sha256":"c82bf8bc00c5732f0dd49ac1dea79b6242a1bd42a5012e308ed4f04369b17e54"},"downloads":-1,"filename":"pip-19.0.tar.gz","has_sig":false,"md5_digest":"76b4afbe326ef31992d3230bb104ff90","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1321823,"upload_time":"2019-01-22T19:19:27","upload_time_iso_8601":"2019-01-22T19:19:27.846004Z","url":"https://files.pythonhosted.org/packages/11/31/c483614095176ddfa06ac99c2af4171375053b270842c7865ca0b4438dc1/pip-19.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.0.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.0.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"46dc7fd5df840efb3e56c8b4f768793a237ec4ee59891959d6a215d63f727023","md5":"0e43dd9f7ba962e6b77888b51001a6a1","sha256":"aae79c7afe895fb986ec751564f24d97df1331bb99cdfec6f70dada2f40c0044"},"downloads":-1,"filename":"pip-19.0.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"0e43dd9f7ba962e6b77888b51001a6a1","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1354402,"upload_time":"2019-01-23T13:59:13","upload_time_iso_8601":"2019-01-23T13:59:13.144195Z","url":"https://files.pythonhosted.org/packages/46/dc/7fd5df840efb3e56c8b4f768793a237ec4ee59891959d6a215d63f727023/pip-19.0.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"c889ad7f27938e59db1f0f55ce214087460f65048626e2226531ba6cb6da15f0","md5":"b6919f1a368138f73b367abccc06f5ae","sha256":"e81ddd35e361b630e94abeda4a1eddd36d47a90e71eb00f38f46b57f787cd1a5"},"downloads":-1,"filename":"pip-19.0.1.tar.gz","has_sig":false,"md5_digest":"b6919f1a368138f73b367abccc06f5ae","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1321875,"upload_time":"2019-01-23T13:59:22","upload_time_iso_8601":"2019-01-23T13:59:22.244586Z","url":"https://files.pythonhosted.org/packages/c8/89/ad7f27938e59db1f0f55ce214087460f65048626e2226531ba6cb6da15f0/pip-19.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.0.2":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.0.2/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"d74134dd96bd33958e52cb4da2f1bf0818e396514fd4f4725a79199564cd0c20","md5":"f489e8dad93062e9ea96c9ff485a010a","sha256":"6a59f1083a63851aeef60c7d68b119b46af11d9d803ddc1cf927b58edcd0b312"},"downloads":-1,"filename":"pip-19.0.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"f489e8dad93062e9ea96c9ff485a010a","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1356167,"upload_time":"2019-02-09T04:59:31","upload_time_iso_8601":"2019-02-09T04:59:31.348369Z","url":"https://files.pythonhosted.org/packages/d7/41/34dd96bd33958e52cb4da2f1bf0818e396514fd4f4725a79199564cd0c20/pip-19.0.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4c4d88bc9413da11702cbbace3ccc51350ae099bb351febae8acc85fec34f9af","md5":"526fd9ec1e6ea956b3571ebfb42cf83c","sha256":"f851133f8b58283fa50d8c78675eb88d4ff4cde29b6c41205cd938b06338e0e5"},"downloads":-1,"filename":"pip-19.0.2.tar.gz","has_sig":false,"md5_digest":"526fd9ec1e6ea956b3571ebfb42cf83c","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1324514,"upload_time":"2019-02-09T04:59:38","upload_time_iso_8601":"2019-02-09T04:59:38.924352Z","url":"https://files.pythonhosted.org/packages/4c/4d/88bc9413da11702cbbace3ccc51350ae099bb351febae8acc85fec34f9af/pip-19.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.0.3":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.0.3/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.0.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"d8f3413bab4ff08e1fc4828dfc59996d721917df8e8583ea85385d51125dceff","md5":"c416915bcb3504d1b7488bf241f5d190","sha256":"bd812612bbd8ba84159d9ddc0266b7fbce712fc9bc98c82dee5750546ec8ec64"},"downloads":-1,"filename":"pip-19.0.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"c416915bcb3504d1b7488bf241f5d190","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1353599,"upload_time":"2019-02-20T17:23:18","upload_time_iso_8601":"2019-02-20T17:23:18.551296Z","url":"https://files.pythonhosted.org/packages/d8/f3/413bab4ff08e1fc4828dfc59996d721917df8e8583ea85385d51125dceff/pip-19.0.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"36fa51ca4d57392e2f69397cd6e5af23da2a8d37884a605f9e3f2d3bfdc48397","md5":"1c5edb0924a0d7d79f3a2e3df05009b4","sha256":"6e6f197a1abfb45118dbb878b5c859a0edbdd33fd250100bc015b67fded4b9f2"},"downloads":-1,"filename":"pip-19.0.3.tar.gz","has_sig":false,"md5_digest":"1c5edb0924a0d7d79f3a2e3df05009b4","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1324617,"upload_time":"2019-02-20T17:23:25","upload_time_iso_8601":"2019-02-20T17:23:25.954544Z","url":"https://files.pythonhosted.org/packages/36/fa/51ca4d57392e2f69397cd6e5af23da2a8d37884a605f9e3f2d3bfdc48397/pip-19.0.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"f9fb863012b13912709c13cf5cfdbfb304fa6c727659d6290438e1a88df9d848","md5":"0ae44131958e5256aa5f3f0166e54f1b","sha256":"8f59b6cf84584d7962d79fd1be7a8ec0eb198aa52ea864896551736b3614eee9"},"downloads":-1,"filename":"pip-19.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"0ae44131958e5256aa5f3f0166e54f1b","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1361825,"upload_time":"2019-04-24T02:34:04","upload_time_iso_8601":"2019-04-24T02:34:04.086417Z","url":"https://files.pythonhosted.org/packages/f9/fb/863012b13912709c13cf5cfdbfb304fa6c727659d6290438e1a88df9d848/pip-19.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"515f802a04274843f634469ef299fcd273de4438386deb7b8681dd059f0ee3b7","md5":"22e3726252b492ce24312c2b43d0127f","sha256":"d9137cb543d8a4d73140a3282f6d777b2e786bb6abb8add3ac5b6539c82cd624"},"downloads":-1,"filename":"pip-19.1.tar.gz","has_sig":false,"md5_digest":"22e3726252b492ce24312c2b43d0127f","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1334822,"upload_time":"2019-04-24T02:34:07","upload_time_iso_8601":"2019-04-24T02:34:07.121751Z","url":"https://files.pythonhosted.org/packages/51/5f/802a04274843f634469ef299fcd273de4438386deb7b8681dd059f0ee3b7/pip-19.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.1.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.1.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5ce0be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420","md5":"83dd12cd109aad762bd1a7a2da190f18","sha256":"993134f0475471b91452ca029d4390dc8f298ac63a712814f101cd1b6db46676"},"downloads":-1,"filename":"pip-19.1.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"83dd12cd109aad762bd1a7a2da190f18","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1360957,"upload_time":"2019-05-06T14:55:05","upload_time_iso_8601":"2019-05-06T14:55:05.285246Z","url":"https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"93abf86b61bef7ab14909bd7ec3cd2178feb0a1c86d451bc9bccd5a1aedcde5f","md5":"4fb98a060f21c731d6743b90a714fc73","sha256":"44d3d7d3d30a1eb65c7e5ff1173cdf8f7467850605ac7cc3707b6064bddd0958"},"downloads":-1,"filename":"pip-19.1.1.tar.gz","has_sig":false,"md5_digest":"4fb98a060f21c731d6743b90a714fc73","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*","size":1334144,"upload_time":"2019-05-06T14:55:07","upload_time_iso_8601":"2019-05-06T14:55:07.864634Z","url":"https://files.pythonhosted.org/packages/93/ab/f86b61bef7ab14909bd7ec3cd2178feb0a1c86d451bc9bccd5a1aedcde5f/pip-19.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.2":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.2/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3a6f35de4f49ae5c7fdb2b64097ab195020fb48faa8ad3a85386ece6953c11b1","md5":"2b7f2b4cb16c26ccf9e9915bddc0fccc","sha256":"468c67b0b1120cd0329dc72972cf0651310783a922e7609f3102bd5fb4acbf17"},"downloads":-1,"filename":"pip-19.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"2b7f2b4cb16c26ccf9e9915bddc0fccc","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1414682,"upload_time":"2019-07-23T05:23:19","upload_time_iso_8601":"2019-07-23T05:23:19.723570Z","url":"https://files.pythonhosted.org/packages/3a/6f/35de4f49ae5c7fdb2b64097ab195020fb48faa8ad3a85386ece6953c11b1/pip-19.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4113b6e68eae78405af6e4e9a93319ae5bb371057786f1590b157341f7542d7d","md5":"1034978c558817e2692d14ff24f44cd1","sha256":"aa6fdd80d13caac75d92b5eced06778712859b1606ba92d62389c11be12b2dad"},"downloads":-1,"filename":"pip-19.2.tar.gz","has_sig":false,"md5_digest":"1034978c558817e2692d14ff24f44cd1","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1376993,"upload_time":"2019-07-23T05:23:37","upload_time_iso_8601":"2019-07-23T05:23:37.293089Z","url":"https://files.pythonhosted.org/packages/41/13/b6e68eae78405af6e4e9a93319ae5bb371057786f1590b157341f7542d7d/pip-19.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.2.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.2.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.2.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"62ca94d32a6516ed197a491d17d46595ce58a83cbb2fca280414e57cd86b84dc","md5":"fe1bd0ded5ea29206bacdefde80dd028","sha256":"80d7452630a67c1e7763b5f0a515690f2c1e9ad06dda48e0ae85b7fdf2f59d97"},"downloads":-1,"filename":"pip-19.2.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"fe1bd0ded5ea29206bacdefde80dd028","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1414720,"upload_time":"2019-07-23T18:42:37","upload_time_iso_8601":"2019-07-23T18:42:37.347693Z","url":"https://files.pythonhosted.org/packages/62/ca/94d32a6516ed197a491d17d46595ce58a83cbb2fca280414e57cd86b84dc/pip-19.2.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"8b8a1b2aadd922db1afe6bc107b03de41d6d37a28a5923383e60695fba24ae81","md5":"e9ac3e030e88b6c076a20ab371a30742","sha256":"258d702483dd749400aec59c23d638a5b2249ae28a0f478b6cab12ad45681a80"},"downloads":-1,"filename":"pip-19.2.1.tar.gz","has_sig":false,"md5_digest":"e9ac3e030e88b6c076a20ab371a30742","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1376932,"upload_time":"2019-07-23T18:42:47","upload_time_iso_8601":"2019-07-23T18:42:47.557630Z","url":"https://files.pythonhosted.org/packages/8b/8a/1b2aadd922db1afe6bc107b03de41d6d37a28a5923383e60695fba24ae81/pip-19.2.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.2.2":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.2.2/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.2.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"8d07f7d7ced2f97ca3098c16565efbe6b15fafcba53e8d9bdb431e09140514b0","md5":"27f6457ad70454f14ccefda6c371a76e","sha256":"4b956bd8b7b481fc5fa222637ff6d0823a327e5118178f1ec47618a480e61997"},"downloads":-1,"filename":"pip-19.2.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"27f6457ad70454f14ccefda6c371a76e","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1414978,"upload_time":"2019-08-11T17:15:34","upload_time_iso_8601":"2019-08-11T17:15:34.154082Z","url":"https://files.pythonhosted.org/packages/8d/07/f7d7ced2f97ca3098c16565efbe6b15fafcba53e8d9bdb431e09140514b0/pip-19.2.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"aa1a62fb0b95b1572c76dbc3cc31124a8b6866cbe9139eb7659ac7349457cf7c","md5":"2ba0a3b76d39ccd90ca22bfa82fc635f","sha256":"e05103825871e210d50a44c7e448587b0ed99dd775d3ef586304c58f40224a53"},"downloads":-1,"filename":"pip-19.2.2.tar.gz","has_sig":false,"md5_digest":"2ba0a3b76d39ccd90ca22bfa82fc635f","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1377264,"upload_time":"2019-08-11T17:15:41","upload_time_iso_8601":"2019-08-11T17:15:41.329363Z","url":"https://files.pythonhosted.org/packages/aa/1a/62fb0b95b1572c76dbc3cc31124a8b6866cbe9139eb7659ac7349457cf7c/pip-19.2.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.2.3":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.2.3/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.2.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"30db9e38760b32e3e7f40cce46dd5fb107b8c73840df38f0046d8e6514e675a1","md5":"22874c2949cbaac15a778176c2f0f546","sha256":"340a0ba40fdeb16413914c0fcd8e0b4ebb0bf39a900ec80e11c05d836c05103f"},"downloads":-1,"filename":"pip-19.2.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"22874c2949cbaac15a778176c2f0f546","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1414986,"upload_time":"2019-08-25T04:37:17","upload_time_iso_8601":"2019-08-25T04:37:17.617204Z","url":"https://files.pythonhosted.org/packages/30/db/9e38760b32e3e7f40cce46dd5fb107b8c73840df38f0046d8e6514e675a1/pip-19.2.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"009e4c83a0950d8bdec0b4ca72afd2f9cea92d08eb7c1a768363f2ea458d08b4","md5":"f417444c66a0db1a82c8d9d2283a2f95","sha256":"e7a31f147974362e6c82d84b91c7f2bdf57e4d3163d3d454e6c3e71944d67135"},"downloads":-1,"filename":"pip-19.2.3.tar.gz","has_sig":false,"md5_digest":"f417444c66a0db1a82c8d9d2283a2f95","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1377284,"upload_time":"2019-08-25T04:37:23","upload_time_iso_8601":"2019-08-25T04:37:23.130324Z","url":"https://files.pythonhosted.org/packages/00/9e/4c83a0950d8bdec0b4ca72afd2f9cea92d08eb7c1a768363f2ea458d08b4/pip-19.2.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.3":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.3/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"4a086ca123073af4ebc4c5488a5bc8a010ac57aa39ce4d3c8a931ad504de4185","md5":"e996d025cdaca91cdff6f8964a3f27f8","sha256":"e100a7eccf085f0720b4478d3bb838e1c179b1e128ec01c0403f84e86e0e2dfb"},"downloads":-1,"filename":"pip-19.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"e996d025cdaca91cdff6f8964a3f27f8","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1415223,"upload_time":"2019-10-14T14:10:01","upload_time_iso_8601":"2019-10-14T14:10:01.358113Z","url":"https://files.pythonhosted.org/packages/4a/08/6ca123073af4ebc4c5488a5bc8a010ac57aa39ce4d3c8a931ad504de4185/pip-19.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"af7a5dd1e6efc894613c432ce86f1011fcc3bbd8ac07dfeae6393b7b97f1de8b","md5":"a57da8b758cbf1a155cde6a7a4428ba7","sha256":"324d234b8f6124846b4e390df255cacbe09ce22791c3b714aa1ea6e44a4f2861"},"downloads":-1,"filename":"pip-19.3.tar.gz","has_sig":false,"md5_digest":"a57da8b758cbf1a155cde6a7a4428ba7","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1393470,"upload_time":"2019-10-14T14:10:52","upload_time_iso_8601":"2019-10-14T14:10:52.024570Z","url":"https://files.pythonhosted.org/packages/af/7a/5dd1e6efc894613c432ce86f1011fcc3bbd8ac07dfeae6393b7b97f1de8b/pip-19.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"19.3.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/19.3.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"19.3.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"00b69cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1","md5":"44446c91702c2eae878d27fe10c1803c","sha256":"6917c65fc3769ecdc61405d3dfd97afdedd75808d200b2838d7d961cebc0c2c7"},"downloads":-1,"filename":"pip-19.3.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"44446c91702c2eae878d27fe10c1803c","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1415262,"upload_time":"2019-10-18T08:21:23","upload_time_iso_8601":"2019-10-18T08:21:23.319181Z","url":"https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ceea9b445176a65ae4ba22dce1d93e4b5fe182f953df71a145f557cffaffc1bf","md5":"1aaaf90fbafc50e7ba1e66ffceb00960","sha256":"21207d76c1031e517668898a6b46a9fb1501c7a4710ef5dfd6a40ad9e6757ea7"},"downloads":-1,"filename":"pip-19.3.1.tar.gz","has_sig":false,"md5_digest":"1aaaf90fbafc50e7ba1e66ffceb00960","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1393609,"upload_time":"2019-10-18T08:21:26","upload_time_iso_8601":"2019-10-18T08:21:26.646455Z","url":"https://files.pythonhosted.org/packages/ce/ea/9b445176a65ae4ba22dce1d93e4b5fe182f953df71a145f557cffaffc1bf/pip-19.3.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.0":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.0/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.0","yanked":true,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"606516487a7c4e0f95bb3fc89c2e377be331fd496b7a9b08fd3077de7f3ae2cf","md5":"d87ea31fe1e5d853c3799878dcf072db","sha256":"eea07b449d969dbc8c062c157852cf8ed2ad1b8b5ac965a6b819e62929e41703"},"downloads":-1,"filename":"pip-20.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"d87ea31fe1e5d853c3799878dcf072db","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1518959,"upload_time":"2020-01-21T11:42:56","upload_time_iso_8601":"2020-01-21T11:42:56.407994Z","url":"https://files.pythonhosted.org/packages/60/65/16487a7c4e0f95bb3fc89c2e377be331fd496b7a9b08fd3077de7f3ae2cf/pip-20.0-py2.py3-none-any.whl","yanked":true,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"8c5cc18d58ab5c1a702bf670e0bd6a77cd4645e4aeca021c6118ef850895cc96","md5":"d5c7e5820f0d2ae13f37cdb1807b5b96","sha256":"5128e9a9401f1d16c1d15b2ed766a79d7813db1538428d0b0ce74838249e3a41"},"downloads":-1,"filename":"pip-20.0.tar.gz","has_sig":false,"md5_digest":"d5c7e5820f0d2ae13f37cdb1807b5b96","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1433834,"upload_time":"2020-01-21T11:42:59","upload_time_iso_8601":"2020-01-21T11:42:59.282402Z","url":"https://files.pythonhosted.org/packages/8c/5c/c18d58ab5c1a702bf670e0bd6a77cd4645e4aeca021c6118ef850895cc96/pip-20.0.tar.gz","yanked":true,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.0.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.0.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"573667f809c135c17ec9b8276466cc57f35b98c240f55c780689ea29fa32f512","md5":"d9f6c711a90ab11a255f810eaf5dd589","sha256":"b7110a319790ae17e8105ecd6fe07dbcc098a280c6d27b6dd7a20174927c24d7"},"downloads":-1,"filename":"pip-20.0.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"d9f6c711a90ab11a255f810eaf5dd589","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1520463,"upload_time":"2020-01-21T12:43:41","upload_time_iso_8601":"2020-01-21T12:43:41.837686Z","url":"https://files.pythonhosted.org/packages/57/36/67f809c135c17ec9b8276466cc57f35b98c240f55c780689ea29fa32f512/pip-20.0.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"28af2c76c8aa46ccdf7578b83d97a11a2d1858794d4be4a1610ade0d30182e8b","md5":"b5922a07b294ea4d7f556822b10ef49e","sha256":"3cebbac2a1502e09265f94e5717408339de846b3c0f0ed086d7b817df9cab822"},"downloads":-1,"filename":"pip-20.0.1.tar.gz","has_sig":false,"md5_digest":"b5922a07b294ea4d7f556822b10ef49e","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1433939,"upload_time":"2020-01-21T12:43:45","upload_time_iso_8601":"2020-01-21T12:43:45.550855Z","url":"https://files.pythonhosted.org/packages/28/af/2c76c8aa46ccdf7578b83d97a11a2d1858794d4be4a1610ade0d30182e8b/pip-20.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.0.2":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.0.2/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"540cd01aa759fdc501a58f431eb594a17495f15b88da142ce14b5845662c13f3","md5":"2762a1e7f11cff2bb8f8e69997f11331","sha256":"4ae14a42d8adba3205ebeb38aa68cfc0b6c346e1ae2e699a0b3bad4da19cef5c"},"downloads":-1,"filename":"pip-20.0.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"2762a1e7f11cff2bb8f8e69997f11331","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1440952,"upload_time":"2020-01-24T14:50:44","upload_time_iso_8601":"2020-01-24T14:50:44.419813Z","url":"https://files.pythonhosted.org/packages/54/0c/d01aa759fdc501a58f431eb594a17495f15b88da142ce14b5845662c13f3/pip-20.0.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"8e7666066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f","md5":"7d42ba49b809604f0df3d55df1c3fd86","sha256":"7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f"},"downloads":-1,"filename":"pip-20.0.2.tar.gz","has_sig":false,"md5_digest":"7d42ba49b809604f0df3d55df1c3fd86","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1433827,"upload_time":"2020-01-24T14:50:47","upload_time_iso_8601":"2020-01-24T14:50:47.350895Z","url":"https://files.pythonhosted.org/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"542edf11ea7e23e7e761d484ed3740285a34e38548cf2bad2bed3dd5768ec8b9","md5":"f97751566557b07c724d486e2ccd8726","sha256":"4fdc7fd2db7636777d28d2e1432e2876e30c2b790d461f135716577f73104369"},"downloads":-1,"filename":"pip-20.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"f97751566557b07c724d486e2ccd8726","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1489786,"upload_time":"2020-04-28T16:54:23","upload_time_iso_8601":"2020-04-28T16:54:23.232633Z","url":"https://files.pythonhosted.org/packages/54/2e/df11ea7e23e7e761d484ed3740285a34e38548cf2bad2bed3dd5768ec8b9/pip-20.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"d105059c78cd5d740d2299266ffa15514dad6692d4694df571bf168e2cdd98fb","md5":"cbe8a4277d0ebbb508a1913c6b670fe6","sha256":"572c0f25eca7c87217b21f6945b7192744103b18f4e4b16b8a83b227a811e192"},"downloads":-1,"filename":"pip-20.1.tar.gz","has_sig":false,"md5_digest":"cbe8a4277d0ebbb508a1913c6b670fe6","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1474248,"upload_time":"2020-04-28T16:54:25","upload_time_iso_8601":"2020-04-28T16:54:25.410325Z","url":"https://files.pythonhosted.org/packages/d1/05/059c78cd5d740d2299266ffa15514dad6692d4694df571bf168e2cdd98fb/pip-20.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.1.1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.1.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"438423ed6a1796480a6f1a2d38f2802901d078266bda38388954d01d3f2e821d","md5":"eeea173ab944151eb8ffb7bc8a3d1ddc","sha256":"b27c4dedae8c41aa59108f2fa38bf78e0890e590545bc8ece7cdceb4ba60f6e4"},"downloads":-1,"filename":"pip-20.1.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"eeea173ab944151eb8ffb7bc8a3d1ddc","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1490666,"upload_time":"2020-05-19T10:40:29","upload_time_iso_8601":"2020-05-19T10:40:29.087652Z","url":"https://files.pythonhosted.org/packages/43/84/23ed6a1796480a6f1a2d38f2802901d078266bda38388954d01d3f2e821d/pip-20.1.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"0825f204a6138dade2f6757b4ae99bc3994aac28a5602c97ddb2a35e0e22fbc4","md5":"62fa8775c44b070c5e1a3f44b0b6ccc5","sha256":"27f8dc29387dd83249e06e681ce087e6061826582198a425085e0bf4c1cf3a55"},"downloads":-1,"filename":"pip-20.1.1.tar.gz","has_sig":false,"md5_digest":"62fa8775c44b070c5e1a3f44b0b6ccc5","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1475109,"upload_time":"2020-05-19T10:40:32","upload_time_iso_8601":"2020-05-19T10:40:32.181030Z","url":"https://files.pythonhosted.org/packages/08/25/f204a6138dade2f6757b4ae99bc3994aac28a5602c97ddb2a35e0e22fbc4/pip-20.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.1b1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.1b1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.1b1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"ec0582d3fababbf462d876883ebc36f030f4fa057a563a80f5a26ee63679d9ea","md5":"c4f8671f195f9a41444ee55fad3c9786","sha256":"4cf0348b683937da883ccaae8c8bcfc9b4c7ba4c48b38cc2d89cd7b8d0b220d9"},"downloads":-1,"filename":"pip-20.1b1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"c4f8671f195f9a41444ee55fad3c9786","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1489600,"upload_time":"2020-04-21T02:03:49","upload_time_iso_8601":"2020-04-21T02:03:49.220700Z","url":"https://files.pythonhosted.org/packages/ec/05/82d3fababbf462d876883ebc36f030f4fa057a563a80f5a26ee63679d9ea/pip-20.1b1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"cd81c1184456fe506bd50992571c9f8581907976ce71502e36741f033e2da1f1","md5":"cf3d329b2d755a4bcb1d712725738706","sha256":"699880a47f6d306f4f9a87ca151ef33d41d2223b81ff343b786d38c297923a19"},"downloads":-1,"filename":"pip-20.1b1.tar.gz","has_sig":false,"md5_digest":"cf3d329b2d755a4bcb1d712725738706","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1473869,"upload_time":"2020-04-21T02:03:51","upload_time_iso_8601":"2020-04-21T02:03:51.598151Z","url":"https://files.pythonhosted.org/packages/cd/81/c1184456fe506bd50992571c9f8581907976ce71502e36741f033e2da1f1/pip-20.1b1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.2/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"367438c2410d688ac7b48afa07d413674afc1f903c1c1f854de51dc8eb2367a5","md5":"11ea34a66db5572c0ac09e599648622b","sha256":"d75f1fc98262dabf74656245c509213a5d0f52137e40e8f8ed5cc256ddd02923"},"downloads":-1,"filename":"pip-20.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"11ea34a66db5572c0ac09e599648622b","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1503020,"upload_time":"2020-07-29T03:26:29","upload_time_iso_8601":"2020-07-29T03:26:29.143873Z","url":"https://files.pythonhosted.org/packages/36/74/38c2410d688ac7b48afa07d413674afc1f903c1c1f854de51dc8eb2367a5/pip-20.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"b927a9007a575c8a8e80c22144fec5df3943fd304dfa791bed44a0130e984803","md5":"02ee9b205f072f189f80c3ccb59d8886","sha256":"912935eb20ea6a3b5ed5810dde9754fde5563f5ca9be44a8a6e5da806ade970b"},"downloads":-1,"filename":"pip-20.2.tar.gz","has_sig":false,"md5_digest":"02ee9b205f072f189f80c3ccb59d8886","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1494827,"upload_time":"2020-07-29T03:26:32","upload_time_iso_8601":"2020-07-29T03:26:32.712055Z","url":"https://files.pythonhosted.org/packages/b9/27/a9007a575c8a8e80c22144fec5df3943fd304dfa791bed44a0130e984803/pip-20.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.2.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.2.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.2.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"bdb156a834acdbe23b486dea16aaf4c27ed28eb292695b90d01dff96c96597de","md5":"1dd07ecf302ea377be4b71e62ff67b66","sha256":"7792c1a4f60fca3a9d674e7dee62c24e21a32df1f47d308524d3507455784f29"},"downloads":-1,"filename":"pip-20.2.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"1dd07ecf302ea377be4b71e62ff67b66","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1503343,"upload_time":"2020-08-04T08:32:01","upload_time_iso_8601":"2020-08-04T08:32:01.714780Z","url":"https://files.pythonhosted.org/packages/bd/b1/56a834acdbe23b486dea16aaf4c27ed28eb292695b90d01dff96c96597de/pip-20.2.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"681a8cfcf3a8cba0dd0f125927c986b1502f2eed284c63fdfd6797ea74300ae4","md5":"0936255a11ade28cbde12899670235e6","sha256":"c87c2b2620f2942dfd5f3cf1bb2a18a99ae70de07384e847c8e3afd1d1604cf2"},"downloads":-1,"filename":"pip-20.2.1.tar.gz","has_sig":false,"md5_digest":"0936255a11ade28cbde12899670235e6","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1496280,"upload_time":"2020-08-04T08:32:06","upload_time_iso_8601":"2020-08-04T08:32:06.719386Z","url":"https://files.pythonhosted.org/packages/68/1a/8cfcf3a8cba0dd0f125927c986b1502f2eed284c63fdfd6797ea74300ae4/pip-20.2.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.2.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.2.2/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.2.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5a4a39400ff9b36e719bdf8f31c99fe1fa7842a42fa77432e584f707a5080063","md5":"9da9f6338ed8e51efea1269e73d12276","sha256":"5244e51494f5d1dfbb89da492d4250cb07f9246644736d10ed6c45deb1a48500"},"downloads":-1,"filename":"pip-20.2.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"9da9f6338ed8e51efea1269e73d12276","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1503623,"upload_time":"2020-08-11T12:42:55","upload_time_iso_8601":"2020-08-11T12:42:55.398447Z","url":"https://files.pythonhosted.org/packages/5a/4a/39400ff9b36e719bdf8f31c99fe1fa7842a42fa77432e584f707a5080063/pip-20.2.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"738e7774190ac616c69194688ffce7c1b2a097749792fea42e390e7ddfdef8bc","md5":"64575b1618837460039d8368b692fa8a","sha256":"58a3b0b55ee2278104165c7ee7bc8e2db6f635067f3c66cf637113ec5aa71584"},"downloads":-1,"filename":"pip-20.2.2.tar.gz","has_sig":false,"md5_digest":"64575b1618837460039d8368b692fa8a","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1496965,"upload_time":"2020-08-11T12:42:58","upload_time_iso_8601":"2020-08-11T12:42:58.238777Z","url":"https://files.pythonhosted.org/packages/73/8e/7774190ac616c69194688ffce7c1b2a097749792fea42e390e7ddfdef8bc/pip-20.2.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.2.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.2.3/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.2.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"4e5f528232275f6509b1fff703c9280e58951a81abe24640905de621c9f81839","md5":"88cdbd5444038d644afc0f6cdfbf66e2","sha256":"0f35d63b7245205f4060efe1982f5ea2196aa6e5b26c07669adcf800e2542026"},"downloads":-1,"filename":"pip-20.2.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"88cdbd5444038d644afc0f6cdfbf66e2","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1503696,"upload_time":"2020-09-08T12:37:09","upload_time_iso_8601":"2020-09-08T12:37:09.684306Z","url":"https://files.pythonhosted.org/packages/4e/5f/528232275f6509b1fff703c9280e58951a81abe24640905de621c9f81839/pip-20.2.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"59644718738ffbc22d98b5223dbd6c5bb87c476d83a4c71719402935170064c7","md5":"efd9dc5c7405452c72c0e3cd410a2018","sha256":"30c70b6179711a7c4cf76da89e8a0f5282279dfb0278bec7b94134be92543b6d"},"downloads":-1,"filename":"pip-20.2.3.tar.gz","has_sig":false,"md5_digest":"efd9dc5c7405452c72c0e3cd410a2018","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1497161,"upload_time":"2020-09-08T12:37:12","upload_time_iso_8601":"2020-09-08T12:37:12.595269Z","url":"https://files.pythonhosted.org/packages/59/64/4718738ffbc22d98b5223dbd6c5bb87c476d83a4c71719402935170064c7/pip-20.2.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.2.4":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.2.4/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.2.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"cb2891f26bd088ce8e22169032100d4260614fc3da435025ff389ef1d396a433","md5":"dfab4b47f28cac56a13305386a4e926c","sha256":"51f1c7514530bd5c145d8f13ed936ad6b8bfcb8cf74e10403d0890bc986f0033"},"downloads":-1,"filename":"pip-20.2.4-py2.py3-none-any.whl","has_sig":false,"md5_digest":"dfab4b47f28cac56a13305386a4e926c","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1504817,"upload_time":"2020-10-17T21:46:13","upload_time_iso_8601":"2020-10-17T21:46:13.586634Z","url":"https://files.pythonhosted.org/packages/cb/28/91f26bd088ce8e22169032100d4260614fc3da435025ff389ef1d396a433/pip-20.2.4-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"0bf5be8e741434a4bf4ce5dbc235aa28ed0666178ea8986ddc10d035023744e6","md5":"ff2a91a3ad7206e5a65422c1c4b48655","sha256":"85c99a857ea0fb0aedf23833d9be5c40cf253fe24443f0829c7b472e23c364a1"},"downloads":-1,"filename":"pip-20.2.4.tar.gz","has_sig":false,"md5_digest":"ff2a91a3ad7206e5a65422c1c4b48655","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1501159,"upload_time":"2020-10-17T21:46:24","upload_time_iso_8601":"2020-10-17T21:46:24.236510Z","url":"https://files.pythonhosted.org/packages/0b/f5/be8e741434a4bf4ce5dbc235aa28ed0666178ea8986ddc10d035023744e6/pip-20.2.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.2b1":{"info":{"author":"The pip developers","author_email":"pypa-dev@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.2b1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.2b1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"fe3b0fc5e63eb277d5a50a95ce5c896f742ef243be27382303a4a44dd0197e29","md5":"aaf1f1c716249591ec2ae986d1a6bbf6","sha256":"b4e230e2b8ece18c5a19b818f3c20a8d4eeac8172962779fd9898d7c4ceb1636"},"downloads":-1,"filename":"pip-20.2b1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"aaf1f1c716249591ec2ae986d1a6bbf6","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1503199,"upload_time":"2020-05-21T10:15:37","upload_time_iso_8601":"2020-05-21T10:15:37.149084Z","url":"https://files.pythonhosted.org/packages/fe/3b/0fc5e63eb277d5a50a95ce5c896f742ef243be27382303a4a44dd0197e29/pip-20.2b1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"773e6a1fd8e08a06e3e0f54182c7c937bba3f4e9cf1b26f54946d3915021ea2e","md5":"a77c9fa22439e3fe05a5ef506984d3be","sha256":"dbf65ecb1c30d35d72f5fda052fcd2f1ea9aca8eaf03d930846d990f51d3f6f6"},"downloads":-1,"filename":"pip-20.2b1.tar.gz","has_sig":false,"md5_digest":"a77c9fa22439e3fe05a5ef506984d3be","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1486606,"upload_time":"2020-05-21T10:15:40","upload_time_iso_8601":"2020-05-21T10:15:40.021202Z","url":"https://files.pythonhosted.org/packages/77/3e/6a1fd8e08a06e3e0f54182c7c937bba3f4e9cf1b26f54946d3915021ea2e/pip-20.2b1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.3/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5573bce122d1ed0217b3c1a3439ab16dfa94bbeabd0d31755fcf907493abf39b","md5":"7bd234a9f850c132f36e1b2b8c159ca9","sha256":"3236fe7288d155c238bb6c85d3e784db3a8e592e827b83fea4d36d8b749ecc4b"},"downloads":-1,"filename":"pip-20.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"7bd234a9f850c132f36e1b2b8c159ca9","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1518290,"upload_time":"2020-11-30T12:47:49","upload_time_iso_8601":"2020-11-30T12:47:49.797078Z","url":"https://files.pythonhosted.org/packages/55/73/bce122d1ed0217b3c1a3439ab16dfa94bbeabd0d31755fcf907493abf39b/pip-20.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"03416da553f689d530bc2c337d2c496a40dc9c0fdc6481e5df1f3ee3b8574479","md5":"fdefb69d940cb5e464c44f8adb28175e","sha256":"9ae7ca6656eac22d2a9b49d024fc24e00f68f4c4d4db673d2d9b525c3dea6e0e"},"downloads":-1,"filename":"pip-20.3.tar.gz","has_sig":false,"md5_digest":"fdefb69d940cb5e464c44f8adb28175e","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1526391,"upload_time":"2020-11-30T12:47:51","upload_time_iso_8601":"2020-11-30T12:47:51.521901Z","url":"https://files.pythonhosted.org/packages/03/41/6da553f689d530bc2c337d2c496a40dc9c0fdc6481e5df1f3ee3b8574479/pip-20.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.3.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.3.1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.3.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"ab112dc62c5263d9eb322f2f028f7b56cd9d096bb8988fcf82d65fa2e4057afe","md5":"4604a07638b567aeab385d231a367f78","sha256":"425e79b20939abbffa7633a91151a882aedc77564d9313e3584eb0416c28c558"},"downloads":-1,"filename":"pip-20.3.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"4604a07638b567aeab385d231a367f78","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1518513,"upload_time":"2020-12-03T09:17:03","upload_time_iso_8601":"2020-12-03T09:17:03.800630Z","url":"https://files.pythonhosted.org/packages/ab/11/2dc62c5263d9eb322f2f028f7b56cd9d096bb8988fcf82d65fa2e4057afe/pip-20.3.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"cb5fae1eb8bda1cde4952bd12e468ab8a254c345a0189402bf1421457577f4f3","md5":"b4846caf68e1b55a618977e00c720db4","sha256":"43f7d3811f05db95809d39515a5111dd05994965d870178a4fe10d5482f9d2e2"},"downloads":-1,"filename":"pip-20.3.1.tar.gz","has_sig":false,"md5_digest":"b4846caf68e1b55a618977e00c720db4","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1526593,"upload_time":"2020-12-03T09:17:10","upload_time_iso_8601":"2020-12-03T09:17:10.407725Z","url":"https://files.pythonhosted.org/packages/cb/5f/ae1eb8bda1cde4952bd12e468ab8a254c345a0189402bf1421457577f4f3/pip-20.3.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.3.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.3.2/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.3.2","yanked":true,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3d0c01014c0442830eb38d6baef0932fdcb389279ce74295350ecb9fe09e048a","md5":"4722a0fb65b5df642bf45929fd314331","sha256":"8d779b6a85770bc5f624b5c8d4d922ea2e3cd9ce6ee92aa260f12a9f072477bc"},"downloads":-1,"filename":"pip-20.3.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"4722a0fb65b5df642bf45929fd314331","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1521420,"upload_time":"2020-12-15T01:49:02","upload_time_iso_8601":"2020-12-15T01:49:02.628447Z","url":"https://files.pythonhosted.org/packages/3d/0c/01014c0442830eb38d6baef0932fdcb389279ce74295350ecb9fe09e048a/pip-20.3.2-py2.py3-none-any.whl","yanked":true,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"516386e147c44335b03055e58a27c791d94fff4baaf08d67852f925ab9b90240","md5":"77381a522ed7b2823e7bbcb7f5745527","sha256":"aa1516c1c8f6f634919cbd8a58fc81432b0fa96f421a97d05a205ee86b07c43d"},"downloads":-1,"filename":"pip-20.3.2.tar.gz","has_sig":false,"md5_digest":"77381a522ed7b2823e7bbcb7f5745527","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1529758,"upload_time":"2020-12-15T01:49:05","upload_time_iso_8601":"2020-12-15T01:49:05.715649Z","url":"https://files.pythonhosted.org/packages/51/63/86e147c44335b03055e58a27c791d94fff4baaf08d67852f925ab9b90240/pip-20.3.2.tar.gz","yanked":true,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.3.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.3.3/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.3.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"54eb4a3642e971f404d69d4f6fa3885559d67562801b99d7592487f1ecc4e017","md5":"b41d5f3a723ed4d330b7cb0dfb3eb6fe","sha256":"fab098c8a1758295dd9f57413c199f23571e8fde6cc39c22c78c961b4ac6286d"},"downloads":-1,"filename":"pip-20.3.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"b41d5f3a723ed4d330b7cb0dfb3eb6fe","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1520905,"upload_time":"2020-12-15T15:44:25","upload_time_iso_8601":"2020-12-15T15:44:25.436666Z","url":"https://files.pythonhosted.org/packages/54/eb/4a3642e971f404d69d4f6fa3885559d67562801b99d7592487f1ecc4e017/pip-20.3.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ca1ed91d7aae44d00cd5001957a1473e4e4b7d1d0f072d1af7c34b5899c9ccdf","md5":"3d5d0639042c829bba411d3735267546","sha256":"79c1ac8a9dccbec8752761cb5a2df833224263ca661477a2a9ed03ddf4e0e3ba"},"downloads":-1,"filename":"pip-20.3.3.tar.gz","has_sig":false,"md5_digest":"3d5d0639042c829bba411d3735267546","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1529320,"upload_time":"2020-12-15T15:44:33","upload_time_iso_8601":"2020-12-15T15:44:33.842085Z","url":"https://files.pythonhosted.org/packages/ca/1e/d91d7aae44d00cd5001957a1473e4e4b7d1d0f072d1af7c34b5899c9ccdf/pip-20.3.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.3.4":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.3.4/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.3.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"27798a850fe3496446ff0d584327ae44e7500daf6764ca1a382d2d02789accf7","md5":"428d963b355040908117fda68108ff5f","sha256":"217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d"},"downloads":-1,"filename":"pip-20.3.4-py2.py3-none-any.whl","has_sig":false,"md5_digest":"428d963b355040908117fda68108ff5f","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1522101,"upload_time":"2021-01-23T12:58:09","upload_time_iso_8601":"2021-01-23T12:58:09.936803Z","url":"https://files.pythonhosted.org/packages/27/79/8a850fe3496446ff0d584327ae44e7500daf6764ca1a382d2d02789accf7/pip-20.3.4-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"537f55721ad0501a9076dbc354cc8c63ffc2d6f1ef360f49ad0fbcce19d68538","md5":"577a375b66ec109e0ac6a4c4aa99bbd0","sha256":"6773934e5f5fc3eaa8c5a44949b5b924fc122daa0a8aa9f80c835b4ca2a543fc"},"downloads":-1,"filename":"pip-20.3.4.tar.gz","has_sig":false,"md5_digest":"577a375b66ec109e0ac6a4c4aa99bbd0","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1530646,"upload_time":"2021-01-23T12:58:14","upload_time_iso_8601":"2021-01-23T12:58:14.013292Z","url":"https://files.pythonhosted.org/packages/53/7f/55721ad0501a9076dbc354cc8c63ffc2d6f1ef360f49ad0fbcce19d68538/pip-20.3.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"20.3b1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 2","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.5","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/20.3b1/","requires_dist":null,"requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","summary":"The PyPA recommended tool for installing Python packages.","version":"20.3b1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"fb4626d13ba147ba430f9cda0d0cf599a041d142a5c8b1a90ff845ebce7fba0f","md5":"c521a6dd4a4629a8674767ac414b4d0e","sha256":"122fcd82deac1153c1699f29815bfab3f876e5bbe018cc2df1297f9802572a97"},"downloads":-1,"filename":"pip-20.3b1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"c521a6dd4a4629a8674767ac414b4d0e","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1507561,"upload_time":"2020-10-31T19:25:12","upload_time_iso_8601":"2020-10-31T19:25:12.450781Z","url":"https://files.pythonhosted.org/packages/fb/46/26d13ba147ba430f9cda0d0cf599a041d142a5c8b1a90ff845ebce7fba0f/pip-20.3b1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"7f612da3c027ad7bd4bc87a3ee7e7160c93e7500dac3536e02ff93008e9b3460","md5":"55e1d96cf40791ec6ff366a3dfcde052","sha256":"819c710a5c8d8c5e44695d03e51cb23b08c070e1ae6a5d6910a89e248e0ff29c"},"downloads":-1,"filename":"pip-20.3b1.tar.gz","has_sig":false,"md5_digest":"55e1d96cf40791ec6ff366a3dfcde052","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1509954,"upload_time":"2020-10-31T19:25:14","upload_time_iso_8601":"2020-10-31T19:25:14.782770Z","url":"https://files.pythonhosted.org/packages/7f/61/2da3c027ad7bd4bc87a3ee7e7160c93e7500dac3536e02ff93008e9b3460/pip-20.3b1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.0":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.0/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"de4758b9f3e6f611dfd17fb8bd9ed3e6f93b7ee662fb85bdfee3565e8979ddf7","md5":"617d83434cc86611cb3ba15df4ce5b0f","sha256":"cf2410eedf8735fd842e0fecd4117ca79025d7fe7c161e32f8640ed6ebe5ecb9"},"downloads":-1,"filename":"pip-21.0-py3-none-any.whl","has_sig":false,"md5_digest":"617d83434cc86611cb3ba15df4ce5b0f","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1538043,"upload_time":"2021-01-23T14:45:47","upload_time_iso_8601":"2021-01-23T14:45:47.462636Z","url":"https://files.pythonhosted.org/packages/de/47/58b9f3e6f611dfd17fb8bd9ed3e6f93b7ee662fb85bdfee3565e8979ddf7/pip-21.0-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"9e24bc928987f35dd0167f21b13a1777c21b9c5917c9894cff93f1c1a6cb8f3b","md5":"f01b5510769f98158aabdeafa0d67f07","sha256":"b330cf6467afd5d15f4c1c56f5c95e56a2bfb941c869bed4c1aa517bcb16de25"},"downloads":-1,"filename":"pip-21.0.tar.gz","has_sig":false,"md5_digest":"f01b5510769f98158aabdeafa0d67f07","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1548038,"upload_time":"2021-01-23T14:45:50","upload_time_iso_8601":"2021-01-23T14:45:50.781349Z","url":"https://files.pythonhosted.org/packages/9e/24/bc928987f35dd0167f21b13a1777c21b9c5917c9894cff93f1c1a6cb8f3b/pip-21.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.0.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"distutils easy_install egg setuptools wheel virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.0.1/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"feef60d7ba03b5c442309ef42e7d69959f73aacccd0d86008362a681c4698e83","md5":"e6e25dc3ecf3bab199b5ba1f14e81474","sha256":"37fd50e056e2aed635dec96594606f0286640489b0db0ce7607f7e51890372d5"},"downloads":-1,"filename":"pip-21.0.1-py3-none-any.whl","has_sig":false,"md5_digest":"e6e25dc3ecf3bab199b5ba1f14e81474","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1539184,"upload_time":"2021-01-30T12:54:11","upload_time_iso_8601":"2021-01-30T12:54:11.777084Z","url":"https://files.pythonhosted.org/packages/fe/ef/60d7ba03b5c442309ef42e7d69959f73aacccd0d86008362a681c4698e83/pip-21.0.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"b72dad02de84a4c9fd3b1958dc9fb72764de1aa2605a9d7e943837be6ad82337","md5":"246523bd34dd356e7506adf54d206b12","sha256":"99bbde183ec5ec037318e774b0d8ae0a64352fe53b2c7fd630be1d07e94f41e5"},"downloads":-1,"filename":"pip-21.0.1.tar.gz","has_sig":false,"md5_digest":"246523bd34dd356e7506adf54d206b12","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1549057,"upload_time":"2021-01-30T12:54:14","upload_time_iso_8601":"2021-01-30T12:54:14.269781Z","url":"https://files.pythonhosted.org/packages/b7/2d/ad02de84a4c9fd3b1958dc9fb72764de1aa2605a9d7e943837be6ad82337/pip-21.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.1/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"accf0cc542fc93de2f3b9b53cb979c7d1118cffb93204afb46299a9f858e113f","md5":"b10733ecf42c8c0992e5a50435928b00","sha256":"ea9f2668484893e90149fd5a6124e04651ffedd67203a8aaf030d31406b937a4"},"downloads":-1,"filename":"pip-21.1-py3-none-any.whl","has_sig":false,"md5_digest":"b10733ecf42c8c0992e5a50435928b00","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1547115,"upload_time":"2021-04-24T12:58:11","upload_time_iso_8601":"2021-04-24T12:58:11.070033Z","url":"https://files.pythonhosted.org/packages/ac/cf/0cc542fc93de2f3b9b53cb979c7d1118cffb93204afb46299a9f858e113f/pip-21.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"de6277b8b1a9f9c710988e5a58c22a7cd025b63b204df57a6ea939d6d39da421","md5":"8b17e56226c7a308919cb200777f5230","sha256":"a810bf07c3723a28621c29abe8e34429fa082c337f89aea9a795865416b66d3e"},"downloads":-1,"filename":"pip-21.1.tar.gz","has_sig":false,"md5_digest":"8b17e56226c7a308919cb200777f5230","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1552101,"upload_time":"2021-04-24T12:58:13","upload_time_iso_8601":"2021-04-24T12:58:13.357715Z","url":"https://files.pythonhosted.org/packages/de/62/77b8b1a9f9c710988e5a58c22a7cd025b63b204df57a6ea939d6d39da421/pip-21.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.1.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.1.1/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"cd6f43037c7bcc8bd8ba7c9074256b1a11596daa15555808ec748048c1507f08","md5":"a2022c03bcf15e875a5b089c87a73898","sha256":"11d095ed5c15265fc5c15cc40a45188675c239fb0f9913b673a33e54ff7d45f0"},"downloads":-1,"filename":"pip-21.1.1-py3-none-any.whl","has_sig":false,"md5_digest":"a2022c03bcf15e875a5b089c87a73898","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1547644,"upload_time":"2021-04-30T19:05:20","upload_time_iso_8601":"2021-04-30T19:05:20.532224Z","url":"https://files.pythonhosted.org/packages/cd/6f/43037c7bcc8bd8ba7c9074256b1a11596daa15555808ec748048c1507f08/pip-21.1.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"94b0e10bdc8809c81796c80aa3644a8e3dc16594fb1bd68f5996929f26cad980","md5":"7fe80e6b3f94b5350284ed536d5b3a23","sha256":"51ad01ddcd8de923533b01a870e7b987c2eb4d83b50b89e1bf102723ff9fed8b"},"downloads":-1,"filename":"pip-21.1.1.tar.gz","has_sig":false,"md5_digest":"7fe80e6b3f94b5350284ed536d5b3a23","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1552786,"upload_time":"2021-04-30T19:05:23","upload_time_iso_8601":"2021-04-30T19:05:23.874136Z","url":"https://files.pythonhosted.org/packages/94/b0/e10bdc8809c81796c80aa3644a8e3dc16594fb1bd68f5996929f26cad980/pip-21.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.1.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.1.2/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.1.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"cd8204e9aaf603fdbaecb4323b9e723f13c92c245f6ab2902195c53987848c78","md5":"a35a9fe4293842adaa5151b97c6857e8","sha256":"f8ea1baa693b61c8ad1c1d8715e59ab2b93cd3c4769bacab84afcc4279e7a70e"},"downloads":-1,"filename":"pip-21.1.2-py3-none-any.whl","has_sig":false,"md5_digest":"a35a9fe4293842adaa5151b97c6857e8","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1547997,"upload_time":"2021-05-23T09:52:07","upload_time_iso_8601":"2021-05-23T09:52:07.156594Z","url":"https://files.pythonhosted.org/packages/cd/82/04e9aaf603fdbaecb4323b9e723f13c92c245f6ab2902195c53987848c78/pip-21.1.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"b1446e26d5296b83c6aac166e48470d57a00d3ed1f642e89adc4a4e412a01643","md5":"a867fd51eacfd5293f5b7e0c2e7867a7","sha256":"eb5df6b9ab0af50fe1098a52fd439b04730b6e066887ff7497357b9ebd19f79b"},"downloads":-1,"filename":"pip-21.1.2.tar.gz","has_sig":false,"md5_digest":"a867fd51eacfd5293f5b7e0c2e7867a7","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1553376,"upload_time":"2021-05-23T09:52:09","upload_time_iso_8601":"2021-05-23T09:52:09.323049Z","url":"https://files.pythonhosted.org/packages/b1/44/6e26d5296b83c6aac166e48470d57a00d3ed1f642e89adc4a4e412a01643/pip-21.1.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.1.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.1.3/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.1.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"47caf0d790b6e18b3a6f3bd5e80c2ee4edbb5807286c21cdd0862ca933f751dd","md5":"388542c29ddc5429f002b979332aa84f","sha256":"78cb760711fedc073246543801c84dc5377affead832e103ad0211f99303a204"},"downloads":-1,"filename":"pip-21.1.3-py3-none-any.whl","has_sig":false,"md5_digest":"388542c29ddc5429f002b979332aa84f","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1548027,"upload_time":"2021-06-26T09:04:01","upload_time_iso_8601":"2021-06-26T09:04:01.342020Z","url":"https://files.pythonhosted.org/packages/47/ca/f0d790b6e18b3a6f3bd5e80c2ee4edbb5807286c21cdd0862ca933f751dd/pip-21.1.3-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4d0c3b63fe024414a8a48661cf04f0993d4b2b8ef92daed45636474c018cd5b7","md5":"e459d41a10ce33688b5d389216a8876f","sha256":"b5b1eb91b36894bd01b8e5a56a422c2f3838573da0b0a1c63a096bb454e3b23f"},"downloads":-1,"filename":"pip-21.1.3.tar.gz","has_sig":false,"md5_digest":"e459d41a10ce33688b5d389216a8876f","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1553596,"upload_time":"2021-06-26T09:04:04","upload_time_iso_8601":"2021-06-26T09:04:04.425758Z","url":"https://files.pythonhosted.org/packages/4d/0c/3b63fe024414a8a48661cf04f0993d4b2b8ef92daed45636474c018cd5b7/pip-21.1.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.2/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.2","yanked":true,"yanked_reason":"See https://github.com/pypa/pip/issues/8711"},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"030fb125bfdd145c1d018d75ce87603e7e9ff2416e742c71b5ac7deba13ca699","md5":"c085c469174f3471b468de62eb11db60","sha256":"71f447dff669d8e2f72b880e3d7ddea2c85cfeba0d14f3307f66fc40ff755176"},"downloads":-1,"filename":"pip-21.2-py3-none-any.whl","has_sig":false,"md5_digest":"c085c469174f3471b468de62eb11db60","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1551108,"upload_time":"2021-07-24T13:59:31","upload_time_iso_8601":"2021-07-24T13:59:31.798626Z","url":"https://files.pythonhosted.org/packages/03/0f/b125bfdd145c1d018d75ce87603e7e9ff2416e742c71b5ac7deba13ca699/pip-21.2-py3-none-any.whl","yanked":true,"yanked_reason":"See https://github.com/pypa/pip/issues/8711"},{"comment_text":"","digests":{"blake2b_256":"9f740e4d75529e8bf6e594d532a28308a5e369c3f7105e1fec2ff0bf86d478b0","md5":"a8447970cbdb6532b1d3880cc37d024f","sha256":"9254a86b6ff4409f9a6077a93f9b6d27f5d81192a94b8fc94d55ffb763a72c8b"},"downloads":-1,"filename":"pip-21.2.tar.gz","has_sig":false,"md5_digest":"a8447970cbdb6532b1d3880cc37d024f","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1559742,"upload_time":"2021-07-24T13:59:35","upload_time_iso_8601":"2021-07-24T13:59:35.284995Z","url":"https://files.pythonhosted.org/packages/9f/74/0e4d75529e8bf6e594d532a28308a5e369c3f7105e1fec2ff0bf86d478b0/pip-21.2.tar.gz","yanked":true,"yanked_reason":"See https://github.com/pypa/pip/issues/8711"}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.2.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.2.1/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.2.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"7c029ab8b431aca1b46fcc1ac830a5870a28a12ba1abfa681904b1d2da876a86","md5":"b777360732d1cdcd673a47cd7a59ece9","sha256":"da0ac9d9032d1d7bac69e9e301778f77b8b6626b85203f99edd2b545434d90a7"},"downloads":-1,"filename":"pip-21.2.1-py3-none-any.whl","has_sig":false,"md5_digest":"b777360732d1cdcd673a47cd7a59ece9","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1551134,"upload_time":"2021-07-25T04:55:59","upload_time_iso_8601":"2021-07-25T04:55:59.516587Z","url":"https://files.pythonhosted.org/packages/7c/02/9ab8b431aca1b46fcc1ac830a5870a28a12ba1abfa681904b1d2da876a86/pip-21.2.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"f7cee359cf283c0c0f2e0af7df8f16c8d79047aa1887a00a5b39b27d8afc49e2","md5":"12e57107c6995f4c823e6425157a16ae","sha256":"303a82aaa24cdc01f7ebbd1afc7d1b871a4aa0a88bb5bedef1fa86a3ee44ca0a"},"downloads":-1,"filename":"pip-21.2.1.tar.gz","has_sig":false,"md5_digest":"12e57107c6995f4c823e6425157a16ae","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1560073,"upload_time":"2021-07-25T04:56:01","upload_time_iso_8601":"2021-07-25T04:56:01.888018Z","url":"https://files.pythonhosted.org/packages/f7/ce/e359cf283c0c0f2e0af7df8f16c8d79047aa1887a00a5b39b27d8afc49e2/pip-21.2.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.2.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.2.2/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.2.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"8ad7f505e91e2cdea53cfcf51f4ac478a8cd64fb0bc1042629cedde20d9a6a9b","md5":"c2b258176e42f839a5a5559f089305fb","sha256":"b02a9d345f913e03fde2ed41896687cc1a2053c6adbe142ec03cff6b0827233d"},"downloads":-1,"filename":"pip-21.2.2-py3-none-any.whl","has_sig":false,"md5_digest":"c2b258176e42f839a5a5559f089305fb","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1562517,"upload_time":"2021-07-31T07:56:27","upload_time_iso_8601":"2021-07-31T07:56:27.635721Z","url":"https://files.pythonhosted.org/packages/8a/d7/f505e91e2cdea53cfcf51f4ac478a8cd64fb0bc1042629cedde20d9a6a9b/pip-21.2.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"83373f344e392de7792748ee32e05d7dd6f867eb2166c21c8711280fb30e2128","md5":"d57e7347f18758e3d0a34118ca2a01c7","sha256":"38e9250dfb0d7fa842492bede9259d4b3289a936ce454f7c58f059f28a94c01d"},"downloads":-1,"filename":"pip-21.2.2.tar.gz","has_sig":false,"md5_digest":"d57e7347f18758e3d0a34118ca2a01c7","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1571234,"upload_time":"2021-07-31T07:56:30","upload_time_iso_8601":"2021-07-31T07:56:30.533132Z","url":"https://files.pythonhosted.org/packages/83/37/3f344e392de7792748ee32e05d7dd6f867eb2166c21c8711280fb30e2128/pip-21.2.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.2.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.2.3/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.2.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"cabf4133a0e05eac641ec270bbcef30512b5ad307d7838adb994acd652cc30e3","md5":"63bcf4a3ac3ced9e569b17126213beb1","sha256":"895df6014c2f02f9d278a8ad6e31cdfd312952b4a93c3068d0556964f4490057"},"downloads":-1,"filename":"pip-21.2.3-py3-none-any.whl","has_sig":false,"md5_digest":"63bcf4a3ac3ced9e569b17126213beb1","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1563443,"upload_time":"2021-08-06T10:50:47","upload_time_iso_8601":"2021-08-06T10:50:47.358580Z","url":"https://files.pythonhosted.org/packages/ca/bf/4133a0e05eac641ec270bbcef30512b5ad307d7838adb994acd652cc30e3/pip-21.2.3-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"e1637c0e553ae0513ebf1858f08030158ff5998324013e0ba4c2e1c00b85df79","md5":"3a6910a6a6f1737816849ce38af0b0fd","sha256":"91e66f2a2702e7d2dcc092ed8c5ebe923e69b9997ea28ba25823943bcd3bf820"},"downloads":-1,"filename":"pip-21.2.3.tar.gz","has_sig":false,"md5_digest":"3a6910a6a6f1737816849ce38af0b0fd","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1572274,"upload_time":"2021-08-06T10:50:50","upload_time_iso_8601":"2021-08-06T10:50:50.395625Z","url":"https://files.pythonhosted.org/packages/e1/63/7c0e553ae0513ebf1858f08030158ff5998324013e0ba4c2e1c00b85df79/pip-21.2.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.2.4":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.2.4/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.2.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"ca31b88ef447d595963c01060998cb329251648acf4a067721b0452c45527eb8","md5":"1b4245e809bfcf23c985e273e88e4cbe","sha256":"fa9ebb85d3fd607617c0c44aca302b1b45d87f9c2a1649b46c26167ca4296323"},"downloads":-1,"filename":"pip-21.2.4-py3-none-any.whl","has_sig":false,"md5_digest":"1b4245e809bfcf23c985e273e88e4cbe","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1555100,"upload_time":"2021-08-12T14:54:57","upload_time_iso_8601":"2021-08-12T14:54:57.870818Z","url":"https://files.pythonhosted.org/packages/ca/31/b88ef447d595963c01060998cb329251648acf4a067721b0452c45527eb8/pip-21.2.4-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"52e106c018197d8151383f66ebf6979d951995cf495629fc54149491f5d157d0","md5":"efbdb4201a5e6383fb4d12e26f78f355","sha256":"0eb8a1516c3d138ae8689c0c1a60fde7143310832f9dc77e11d8a4bc62de193b"},"downloads":-1,"filename":"pip-21.2.4.tar.gz","has_sig":false,"md5_digest":"efbdb4201a5e6383fb4d12e26f78f355","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1564487,"upload_time":"2021-08-12T14:55:01","upload_time_iso_8601":"2021-08-12T14:55:01.067507Z","url":"https://files.pythonhosted.org/packages/52/e1/06c018197d8151383f66ebf6979d951995cf495629fc54149491f5d157d0/pip-21.2.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.3/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"90a91ea3a69a51dcc679724e3512fc2aa1668999eed59976f749134eb02229c8","md5":"5c310237fd74678df93adb5701aec712","sha256":"4a1de8f97884ecfc10b48fe61c234f7e7dcf4490a37217011ad9369d899ad5a6"},"downloads":-1,"filename":"pip-21.3-py3-none-any.whl","has_sig":false,"md5_digest":"5c310237fd74678df93adb5701aec712","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1722980,"upload_time":"2021-10-11T19:42:14","upload_time_iso_8601":"2021-10-11T19:42:14.672378Z","url":"https://files.pythonhosted.org/packages/90/a9/1ea3a69a51dcc679724e3512fc2aa1668999eed59976f749134eb02229c8/pip-21.3-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"005fd6959d6f25f202e3e68e3a53b815af42d770c829c19382d0acbf2c3e2112","md5":"fc20feba27bd36f046c2fbd59bc8f9ea","sha256":"741a61baab1dbce2d8ca415effa48a2b6a964564f81a9f4f1fce4c433346c034"},"downloads":-1,"filename":"pip-21.3.tar.gz","has_sig":false,"md5_digest":"fc20feba27bd36f046c2fbd59bc8f9ea","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1730584,"upload_time":"2021-10-11T19:42:19","upload_time_iso_8601":"2021-10-11T19:42:19.072885Z","url":"https://files.pythonhosted.org/packages/00/5f/d6959d6f25f202e3e68e3a53b815af42d770c829c19382d0acbf2c3e2112/pip-21.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"21.3.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/21.3.1/","requires_dist":null,"requires_python":">=3.6","summary":"The PyPA recommended tool for installing Python packages.","version":"21.3.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"a46d6463d49a933f547439d6b5b98b46af8742cc03ae83543e4d7688c2420f8b","md5":"c849a44121f823c806f604d6568d9e89","sha256":"deaf32dcd9ab821e359cd8330786bcd077604b5c5730c0b096eda46f95c24a2d"},"downloads":-1,"filename":"pip-21.3.1-py3-none-any.whl","has_sig":false,"md5_digest":"c849a44121f823c806f604d6568d9e89","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.6","size":1723581,"upload_time":"2021-10-22T15:57:09","upload_time_iso_8601":"2021-10-22T15:57:09.325883Z","url":"https://files.pythonhosted.org/packages/a4/6d/6463d49a933f547439d6b5b98b46af8742cc03ae83543e4d7688c2420f8b/pip-21.3.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"daf6c83229dcc3635cdeb51874184241a9508ada15d8baa337a41093fab58011","md5":"0d3f27f4b7fecb33fd573e4f46cc6788","sha256":"fd11ba3d0fdb4c07fbc5ecbba0b1b719809420f25038f8ee3cd913d3faa3033a"},"downloads":-1,"filename":"pip-21.3.1.tar.gz","has_sig":false,"md5_digest":"0d3f27f4b7fecb33fd573e4f46cc6788","packagetype":"sdist","python_version":"source","requires_python":">=3.6","size":1731517,"upload_time":"2021-10-22T15:57:12","upload_time_iso_8601":"2021-10-22T15:57:12.739402Z","url":"https://files.pythonhosted.org/packages/da/f6/c83229dcc3635cdeb51874184241a9508ada15d8baa337a41093fab58011/pip-21.3.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.0":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.0/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"9f8ba094f5da22d7abf5098205367b3296dd15b914f4232af5ca39ba6214d08c","md5":"795afb6d0ced2e8a5e23b7672ce5dfb8","sha256":"6cb1ea2bd7fda0668e26ae8c3e45188f301a7ef17ff22efe1f70f3643e56a822"},"downloads":-1,"filename":"pip-22.0-py3-none-any.whl","has_sig":false,"md5_digest":"795afb6d0ced2e8a5e23b7672ce5dfb8","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2084231,"upload_time":"2022-01-30T12:34:58","upload_time_iso_8601":"2022-01-30T12:34:58.778557Z","url":"https://files.pythonhosted.org/packages/9f/8b/a094f5da22d7abf5098205367b3296dd15b914f4232af5ca39ba6214d08c/pip-22.0-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4acae72b3b399d7a8cb34311aa8f52924108591c013b09f0268820afb4cd96fb","md5":"59bcad2130e50cc4805767de561667cf","sha256":"d3fa5c3e42b33de52bddce89de40268c9a263cd6ef7c94c40774808dafb32c82"},"downloads":-1,"filename":"pip-22.0.tar.gz","has_sig":false,"md5_digest":"59bcad2130e50cc4805767de561667cf","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2054609,"upload_time":"2022-01-30T12:35:02","upload_time_iso_8601":"2022-01-30T12:35:02.140472Z","url":"https://files.pythonhosted.org/packages/4a/ca/e72b3b399d7a8cb34311aa8f52924108591c013b09f0268820afb4cd96fb/pip-22.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.0.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.0.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"89a12f4e58eda11e591fbfa518233378835679fc5ab766b690b3df85215014d5","md5":"db8afa722f36728d9011a4d3fc668252","sha256":"30739ac5fb973cfa4399b0afff0523d4fe6bed2f7a5229333f64d9c2ce0d1933"},"downloads":-1,"filename":"pip-22.0.1-py3-none-any.whl","has_sig":false,"md5_digest":"db8afa722f36728d9011a4d3fc668252","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2084273,"upload_time":"2022-01-30T19:43:48","upload_time_iso_8601":"2022-01-30T19:43:48.658738Z","url":"https://files.pythonhosted.org/packages/89/a1/2f4e58eda11e591fbfa518233378835679fc5ab766b690b3df85215014d5/pip-22.0.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"63715686e51f06fa59da55f7e81c3101844e57434a30f4a0d7456674d1459841","md5":"0ea1d48500b94237a3ac7d5eac45474d","sha256":"7fd7a92f2fb1d2ac2ae8c72fb10b1e640560a0361ed4427453509e2bcc18605b"},"downloads":-1,"filename":"pip-22.0.1.tar.gz","has_sig":false,"md5_digest":"0ea1d48500b94237a3ac7d5eac45474d","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2054743,"upload_time":"2022-01-30T19:43:52","upload_time_iso_8601":"2022-01-30T19:43:52.632379Z","url":"https://files.pythonhosted.org/packages/63/71/5686e51f06fa59da55f7e81c3101844e57434a30f4a0d7456674d1459841/pip-22.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.0.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.0.2/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"83b5df8640236faa5a3cb80bfafd68e9fb4b22578208b8398c032ccff803f9e0","md5":"243f91265f38f7774bd3dd2d0a4457a2","sha256":"682eabc4716bfce606aca8dab488e9c7b58b0737e9001004eb858cdafcd8dbdd"},"downloads":-1,"filename":"pip-22.0.2-py3-none-any.whl","has_sig":false,"md5_digest":"243f91265f38f7774bd3dd2d0a4457a2","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2084595,"upload_time":"2022-01-30T22:46:51","upload_time_iso_8601":"2022-01-30T22:46:51.286060Z","url":"https://files.pythonhosted.org/packages/83/b5/df8640236faa5a3cb80bfafd68e9fb4b22578208b8398c032ccff803f9e0/pip-22.0.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"d9c1146b24a7648fdf3f8b4dc6521ab0b26ac151ef903bac0b63a4e1450cb4d1","md5":"0449e82526e48fc5169a857193f6a63c","sha256":"27b4b70c34ec35f77947f777070d8331adbb1e444842e98e7150c288dc0caea4"},"downloads":-1,"filename":"pip-22.0.2.tar.gz","has_sig":false,"md5_digest":"0449e82526e48fc5169a857193f6a63c","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2055167,"upload_time":"2022-01-30T22:46:54","upload_time_iso_8601":"2022-01-30T22:46:54.733487Z","url":"https://files.pythonhosted.org/packages/d9/c1/146b24a7648fdf3f8b4dc6521ab0b26ac151ef903bac0b63a4e1450cb4d1/pip-22.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.0.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.0.3/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.0.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"6adfa6ef77a6574781a668791419ffe366c8acd1c3cf4709d210cb53cd5ce1c2","md5":"7d3a154e009bd2e4c1ba2187879338a7","sha256":"c146f331f0805c77017c6bb9740cec4a49a0d4582d0c3cc8244b057f83eca359"},"downloads":-1,"filename":"pip-22.0.3-py3-none-any.whl","has_sig":false,"md5_digest":"7d3a154e009bd2e4c1ba2187879338a7","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2084572,"upload_time":"2022-02-03T08:44:11","upload_time_iso_8601":"2022-02-03T08:44:11.473387Z","url":"https://files.pythonhosted.org/packages/6a/df/a6ef77a6574781a668791419ffe366c8acd1c3cf4709d210cb53cd5ce1c2/pip-22.0.3-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"88d9761f0b1e0551a3559afe4d34bd9bf68fc8de3292363b3775dda39b62ce84","md5":"b97ca988eaa6d101f5aa5f43d5e86916","sha256":"f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0"},"downloads":-1,"filename":"pip-22.0.3.tar.gz","has_sig":false,"md5_digest":"b97ca988eaa6d101f5aa5f43d5e86916","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2055359,"upload_time":"2022-02-03T08:44:14","upload_time_iso_8601":"2022-02-03T08:44:14.965630Z","url":"https://files.pythonhosted.org/packages/88/d9/761f0b1e0551a3559afe4d34bd9bf68fc8de3292363b3775dda39b62ce84/pip-22.0.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.0.4":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.0.4/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.0.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"4d160a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812","md5":"271aee4d4372295af4847a19d64c3595","sha256":"c6aca0f2f081363f689f041d90dab2a07a9a07fb840284db2218117a52da800b"},"downloads":-1,"filename":"pip-22.0.4-py3-none-any.whl","has_sig":false,"md5_digest":"271aee4d4372295af4847a19d64c3595","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2123599,"upload_time":"2022-03-07T07:42:43","upload_time_iso_8601":"2022-03-07T07:42:43.295398Z","url":"https://files.pythonhosted.org/packages/4d/16/0a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812/pip-22.0.4-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"33c9e2164122d365d8f823213a53970fa3005eb16218edcfc56ca24cb6deba2b","md5":"ffb2a7aa43004601409b3318777b75a8","sha256":"b3a9de2c6ef801e9247d1527a4b16f92f2cc141cd1489f3fffaf6a9e96729764"},"downloads":-1,"filename":"pip-22.0.4.tar.gz","has_sig":false,"md5_digest":"ffb2a7aa43004601409b3318777b75a8","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2090742,"upload_time":"2022-03-07T07:42:47","upload_time_iso_8601":"2022-03-07T07:42:47.553998Z","url":"https://files.pythonhosted.org/packages/33/c9/e2164122d365d8f823213a53970fa3005eb16218edcfc56ca24cb6deba2b/pip-22.0.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"f37723152f90de45957b59591c34dcb39b78194eb67d088d4f8799e9aa9726c4","md5":"e9c899696279f1a40b72537ae17b38c5","sha256":"802e797fb741be1c2d475533d4ea951957e4940091422bd4a24848a7ac95609d"},"downloads":-1,"filename":"pip-22.1-py3-none-any.whl","has_sig":false,"md5_digest":"e9c899696279f1a40b72537ae17b38c5","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2140586,"upload_time":"2022-05-11T19:59:17","upload_time_iso_8601":"2022-05-11T19:59:17.672098Z","url":"https://files.pythonhosted.org/packages/f3/77/23152f90de45957b59591c34dcb39b78194eb67d088d4f8799e9aa9726c4/pip-22.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"99bb696e256f4f445809f25efd4e4ce42ff99664dc089cafa1e097d5fec7fc33","md5":"145e2379b206fde072ca0ed61391c7ac","sha256":"2debf847016cfe643fa1512e2d781d3ca9e5c878ba0652583842d50cc2bcc605"},"downloads":-1,"filename":"pip-22.1.tar.gz","has_sig":false,"md5_digest":"145e2379b206fde072ca0ed61391c7ac","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2111620,"upload_time":"2022-05-11T19:59:22","upload_time_iso_8601":"2022-05-11T19:59:22.282550Z","url":"https://files.pythonhosted.org/packages/99/bb/696e256f4f445809f25efd4e4ce42ff99664dc089cafa1e097d5fec7fc33/pip-22.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.1.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.1.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"9be6aa8149e048eda381f2a433599be9b1f5e5e3a189636cd6cf9614aa2ff5be","md5":"1525e9b71f202e8308032a2c20311133","sha256":"e7bcf0b2cbdec2af84cc1b7b79b25fdbd7228fbdb61a4dca0b82810d0ba9d18b"},"downloads":-1,"filename":"pip-22.1.1-py3-none-any.whl","has_sig":false,"md5_digest":"1525e9b71f202e8308032a2c20311133","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2140725,"upload_time":"2022-05-21T13:21:05","upload_time_iso_8601":"2022-05-21T13:21:05.438247Z","url":"https://files.pythonhosted.org/packages/9b/e6/aa8149e048eda381f2a433599be9b1f5e5e3a189636cd6cf9614aa2ff5be/pip-22.1.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"3e0a6125e67aa4d3245faeed476e4e26f190b5209f84f01efd733ac6372eb247","md5":"08f7a715658d0e687a9c39a9fbfb6f6b","sha256":"8dfb15d8a1c3d3085a4cbe11f29e19527dfaf2ba99354326fd62cec013eaee81"},"downloads":-1,"filename":"pip-22.1.1.tar.gz","has_sig":false,"md5_digest":"08f7a715658d0e687a9c39a9fbfb6f6b","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2112307,"upload_time":"2022-05-21T13:21:09","upload_time_iso_8601":"2022-05-21T13:21:09.041574Z","url":"https://files.pythonhosted.org/packages/3e/0a/6125e67aa4d3245faeed476e4e26f190b5209f84f01efd733ac6372eb247/pip-22.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.1.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.1.2/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.1.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"962fcaec18213f6a67852f6997fb0673ae08d2e93d1b81573edb93ba4ef06970","md5":"564799f1b166d9d4f87a6921c35e0008","sha256":"a3edacb89022ef5258bf61852728bf866632a394da837ca49eb4303635835f17"},"downloads":-1,"filename":"pip-22.1.2-py3-none-any.whl","has_sig":false,"md5_digest":"564799f1b166d9d4f87a6921c35e0008","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2140742,"upload_time":"2022-05-31T11:19:58","upload_time_iso_8601":"2022-05-31T11:19:58.344567Z","url":"https://files.pythonhosted.org/packages/96/2f/caec18213f6a67852f6997fb0673ae08d2e93d1b81573edb93ba4ef06970/pip-22.1.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4bb60fa7aa968a9fa4ef63a51b3ff0644e59f49dcd7235b3fd6cceb23f202e08","md5":"6ec06d38c3aed5d22bcbbbfbf7114d6a","sha256":"6d55b27e10f506312894a87ccc59f280136bad9061719fac9101bdad5a6bce69"},"downloads":-1,"filename":"pip-22.1.2.tar.gz","has_sig":false,"md5_digest":"6ec06d38c3aed5d22bcbbbfbf7114d6a","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2112549,"upload_time":"2022-05-31T11:20:04","upload_time_iso_8601":"2022-05-31T11:20:04.241597Z","url":"https://files.pythonhosted.org/packages/4b/b6/0fa7aa968a9fa4ef63a51b3ff0644e59f49dcd7235b3fd6cceb23f202e08/pip-22.1.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.1b1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.1b1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.1b1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"793ad341ae105c8b49eac912bee40739d496ae80f9441efa7df6c68f4997bbc8","md5":"4ca52f69bcbe51c5b8b90261d3fba5bb","sha256":"09e9e8f8e10f2515134b59600ad3630219430eabb734336079cbc6ffb2e01a0e"},"downloads":-1,"filename":"pip-22.1b1-py3-none-any.whl","has_sig":false,"md5_digest":"4ca52f69bcbe51c5b8b90261d3fba5bb","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2140148,"upload_time":"2022-04-30T13:43:20","upload_time_iso_8601":"2022-04-30T13:43:20.029092Z","url":"https://files.pythonhosted.org/packages/79/3a/d341ae105c8b49eac912bee40739d496ae80f9441efa7df6c68f4997bbc8/pip-22.1b1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"a7c0794f22836ef3202a7ad61f0872278ee7ac62e8c7617e4c9a08f01b5e82da","md5":"73a2de2d075d08885622a065cb9cf799","sha256":"f54ab61985754b56c5589178cfd7dfca5ed9f98d5c8f2de2eecb29f1341200f1"},"downloads":-1,"filename":"pip-22.1b1.tar.gz","has_sig":false,"md5_digest":"73a2de2d075d08885622a065cb9cf799","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2109336,"upload_time":"2022-04-30T13:43:24","upload_time_iso_8601":"2022-04-30T13:43:24.685038Z","url":"https://files.pythonhosted.org/packages/a7/c0/794f22836ef3202a7ad61f0872278ee7ac62e8c7617e4c9a08f01b5e82da/pip-22.1b1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.2/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"9b9e9e0610f25e65e2cdf90b1ee9c47ca710865401904038558ac0129ea23cbc","md5":"0c884466e80e6b0b3daa248e7a6f3ec8","sha256":"9abf423d5d64f3289ab9d5bf31da9e6234f2e9c5d8dcf1423bcb46b809a02c2c"},"downloads":-1,"filename":"pip-22.2-py3-none-any.whl","has_sig":false,"md5_digest":"0c884466e80e6b0b3daa248e7a6f3ec8","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2044396,"upload_time":"2022-07-21T10:25:38","upload_time_iso_8601":"2022-07-21T10:25:38.540179Z","url":"https://files.pythonhosted.org/packages/9b/9e/9e0610f25e65e2cdf90b1ee9c47ca710865401904038558ac0129ea23cbc/pip-22.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"cdb6cf07132d631444dd7ce0ed199f2327eb34e2418f1675145e5b10e1ee65cd","md5":"e1d02db855f7368e497562de6d07c323","sha256":"8d63fcd4ee293e30b644827268a0a973d080e5c7425ef26d427f5eb2126c7681"},"downloads":-1,"filename":"pip-22.2.tar.gz","has_sig":false,"md5_digest":"e1d02db855f7368e497562de6d07c323","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2035740,"upload_time":"2022-07-21T10:25:42","upload_time_iso_8601":"2022-07-21T10:25:42.288675Z","url":"https://files.pythonhosted.org/packages/cd/b6/cf07132d631444dd7ce0ed199f2327eb34e2418f1675145e5b10e1ee65cd/pip-22.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.2.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.2.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.2.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"84255734a44897751d8bac6822efb819acda2d969bcc1b915bbd7d48102952cb","md5":"224881c15bcdcd910375bc0cf6e71aae","sha256":"0bbbc87dfbe6eed217beff0021f8b7dea04c8f4a0baa9d31dc4cff281ffc5b2b"},"downloads":-1,"filename":"pip-22.2.1-py3-none-any.whl","has_sig":false,"md5_digest":"224881c15bcdcd910375bc0cf6e71aae","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2044666,"upload_time":"2022-07-27T17:28:27","upload_time_iso_8601":"2022-07-27T17:28:27.331945Z","url":"https://files.pythonhosted.org/packages/84/25/5734a44897751d8bac6822efb819acda2d969bcc1b915bbd7d48102952cb/pip-22.2.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4628addd7e66bb3af799d35a5dcbb79407b591a7ed674f4efd2bd8f930c40821","md5":"9f926ff7cf5518a6291347e2aed1a20a","sha256":"50516e47a2b79e77446f0d05649f0d53772c192571486236b1905492bfc24bac"},"downloads":-1,"filename":"pip-22.2.1.tar.gz","has_sig":false,"md5_digest":"9f926ff7cf5518a6291347e2aed1a20a","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2036264,"upload_time":"2022-07-27T17:28:32","upload_time_iso_8601":"2022-07-27T17:28:32.273213Z","url":"https://files.pythonhosted.org/packages/46/28/addd7e66bb3af799d35a5dcbb79407b591a7ed674f4efd2bd8f930c40821/pip-22.2.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.2.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.2.2/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.2.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"1f2cd9626f045e7b49a6225c6b09257861f24da78f4e5f23af2ddbdf852c99b8","md5":"038988c69df6729ac9a7380930ec68f3","sha256":"b61a374b5bc40a6e982426aede40c9b5a08ff20e640f5b56977f4f91fed1e39a"},"downloads":-1,"filename":"pip-22.2.2-py3-none-any.whl","has_sig":false,"md5_digest":"038988c69df6729ac9a7380930ec68f3","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2044706,"upload_time":"2022-08-03T18:56:21","upload_time_iso_8601":"2022-08-03T18:56:21.845282Z","url":"https://files.pythonhosted.org/packages/1f/2c/d9626f045e7b49a6225c6b09257861f24da78f4e5f23af2ddbdf852c99b8/pip-22.2.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4b30e15b806597e67057e07a5acdc135216ccbf76a5f1681a324533b61066b0b","md5":"05bb8c0607721d171e9eecf22a8c5cc6","sha256":"3fd1929db052f056d7a998439176d3333fa1b3f6c1ad881de1885c0717608a4b"},"downloads":-1,"filename":"pip-22.2.2.tar.gz","has_sig":false,"md5_digest":"05bb8c0607721d171e9eecf22a8c5cc6","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2036373,"upload_time":"2022-08-03T18:56:25","upload_time_iso_8601":"2022-08-03T18:56:25.739170Z","url":"https://files.pythonhosted.org/packages/4b/30/e15b806597e67057e07a5acdc135216ccbf76a5f1681a324533b61066b0b/pip-22.2.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.3/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"47ef8b5470b5b94b36231ed9c0bde90caa71c0d4322d4a15f009b2b7f4287fe0","md5":"6123dc5fc3483ebb12becce7faa4cd28","sha256":"1daab4b8d3b97d1d763caeb01a4640a2250a0ea899e257b1e44b9eded91e15ab"},"downloads":-1,"filename":"pip-22.3-py3-none-any.whl","has_sig":false,"md5_digest":"6123dc5fc3483ebb12becce7faa4cd28","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2051507,"upload_time":"2022-10-15T11:41:14","upload_time_iso_8601":"2022-10-15T11:41:14.898997Z","url":"https://files.pythonhosted.org/packages/47/ef/8b5470b5b94b36231ed9c0bde90caa71c0d4322d4a15f009b2b7f4287fe0/pip-22.3-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"f8087f92782ff571c7c7cb6c5eeb8ebbb1f68cb02bdb24e55c5de4dd9ce98bc3","md5":"f0dd02265e7ccd2f8758c840fba64810","sha256":"8182aec21dad6c0a49a2a3d121a87cd524b950e0b6092b181625f07ebdde7530"},"downloads":-1,"filename":"pip-22.3.tar.gz","has_sig":false,"md5_digest":"f0dd02265e7ccd2f8758c840fba64810","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2077961,"upload_time":"2022-10-15T11:41:17","upload_time_iso_8601":"2022-10-15T11:41:17.359447Z","url":"https://files.pythonhosted.org/packages/f8/08/7f92782ff571c7c7cb6c5eeb8ebbb1f68cb02bdb24e55c5de4dd9ce98bc3/pip-22.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"22.3.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/22.3.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"22.3.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"09bd2410905c76ee14c62baf69e3f4aa780226c1bbfc9485731ad018e35b0cb5","md5":"74d0d338e0af6ca545d6ce7ef9734d75","sha256":"908c78e6bc29b676ede1c4d57981d490cb892eb45cd8c214ab6298125119e077"},"downloads":-1,"filename":"pip-22.3.1-py3-none-any.whl","has_sig":false,"md5_digest":"74d0d338e0af6ca545d6ce7ef9734d75","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2051534,"upload_time":"2022-11-05T15:56:17","upload_time_iso_8601":"2022-11-05T15:56:17.843954Z","url":"https://files.pythonhosted.org/packages/09/bd/2410905c76ee14c62baf69e3f4aa780226c1bbfc9485731ad018e35b0cb5/pip-22.3.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"a350c4d2727b99052780aad92c7297465af5fe6eec2dbae490aa9763273ffdc1","md5":"996f58a94fe0b8b82b6795c42bd171ba","sha256":"65fd48317359f3af8e593943e6ae1506b66325085ea64b706a998c6e83eeaf38"},"downloads":-1,"filename":"pip-22.3.1.tar.gz","has_sig":false,"md5_digest":"996f58a94fe0b8b82b6795c42bd171ba","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2078129,"upload_time":"2022-11-05T15:56:20","upload_time_iso_8601":"2022-11-05T15:56:20.116404Z","url":"https://files.pythonhosted.org/packages/a3/50/c4d2727b99052780aad92c7297465af5fe6eec2dbae490aa9763273ffdc1/pip-22.3.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.0":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.0/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"ab43508c403c38eeaa5fc86516eb13bb470ce77601b6d2bbcdb16e26328d0a15","md5":"911a8561240e5b46c50b7e16834d42dd","sha256":"b5f88adff801f5ef052bcdef3daa31b55eb67b0fccd6d0106c206fa248e0463c"},"downloads":-1,"filename":"pip-23.0-py3-none-any.whl","has_sig":false,"md5_digest":"911a8561240e5b46c50b7e16834d42dd","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2056044,"upload_time":"2023-01-30T23:10:52","upload_time_iso_8601":"2023-01-30T23:10:52.804072Z","url":"https://files.pythonhosted.org/packages/ab/43/508c403c38eeaa5fc86516eb13bb470ce77601b6d2bbcdb16e26328d0a15/pip-23.0-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"b5165e24bf63cff51dcc169f43bd43b86b005c49941e09cc3482a5b370db239e","md5":"5d41b9679adae9362026b1753b543cb2","sha256":"aee438284e82c8def684b0bcc50b1f6ed5e941af97fa940e83e2e8ef1a59da9b"},"downloads":-1,"filename":"pip-23.0.tar.gz","has_sig":false,"md5_digest":"5d41b9679adae9362026b1753b543cb2","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2082372,"upload_time":"2023-01-30T23:10:56","upload_time_iso_8601":"2023-01-30T23:10:56.760226Z","url":"https://files.pythonhosted.org/packages/b5/16/5e24bf63cff51dcc169f43bd43b86b005c49941e09cc3482a5b370db239e/pip-23.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.0.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.0.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"07512c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38","md5":"83b53b599a1644afe7e76debe4a62bcc","sha256":"236bcb61156d76c4b8a05821b988c7b8c35bf0da28a4b614e8d6ab5212c25c6f"},"downloads":-1,"filename":"pip-23.0.1-py3-none-any.whl","has_sig":false,"md5_digest":"83b53b599a1644afe7e76debe4a62bcc","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2055563,"upload_time":"2023-02-17T18:31:51","upload_time_iso_8601":"2023-02-17T18:31:51.845190Z","url":"https://files.pythonhosted.org/packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"6b8b0b16094553ecc680e43ded8f920c3873b01b1da79a54274c98f08cb29fca","md5":"f988022baba70f483744cc8c0e584010","sha256":"cd015ea1bfb0fcef59d8a286c1f8bebcb983f6317719d415dc5351efb7cd7024"},"downloads":-1,"filename":"pip-23.0.1.tar.gz","has_sig":false,"md5_digest":"f988022baba70f483744cc8c0e584010","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2082217,"upload_time":"2023-02-17T18:31:56","upload_time_iso_8601":"2023-02-17T18:31:56.437559Z","url":"https://files.pythonhosted.org/packages/6b/8b/0b16094553ecc680e43ded8f920c3873b01b1da79a54274c98f08cb29fca/pip-23.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"aedba8821cdac455a1740580c92de3ed7b7f257cfdbad8b1ba8864e6abe58a08","md5":"dea8a29f0029b31db3325078023bfaaf","sha256":"64b1d4528e491aa835ec6ece0c1ac40ce6ab6d886e60740f6519db44b2e9634d"},"downloads":-1,"filename":"pip-23.1-py3-none-any.whl","has_sig":false,"md5_digest":"dea8a29f0029b31db3325078023bfaaf","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2064542,"upload_time":"2023-04-15T10:52:52","upload_time_iso_8601":"2023-04-15T10:52:52.618235Z","url":"https://files.pythonhosted.org/packages/ae/db/a8821cdac455a1740580c92de3ed7b7f257cfdbad8b1ba8864e6abe58a08/pip-23.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"dabf1bdbe62f5fbde085351693e3a8e387a59f8220932b911b1719fe65efa2d7","md5":"b730fe00a3d43fa86e67472ad9d1de4d","sha256":"408539897ee535dbfb83a153f7bc4d620f990d8bd44a52a986efc0b4d330d34a"},"downloads":-1,"filename":"pip-23.1.tar.gz","has_sig":false,"md5_digest":"b730fe00a3d43fa86e67472ad9d1de4d","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2087572,"upload_time":"2023-04-15T10:52:54","upload_time_iso_8601":"2023-04-15T10:52:54.763669Z","url":"https://files.pythonhosted.org/packages/da/bf/1bdbe62f5fbde085351693e3a8e387a59f8220932b911b1719fe65efa2d7/pip-23.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.1.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.1.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"f8f817bd3f7c13515523d811ce4104410c16c03e3c6830f9276612e2f4b28382","md5":"869acc5f2bc85b78d0b6b82940a6afb8","sha256":"3d8d72fa0714e93c9d3c2a0ede91e898c64596e0fa7d4523f72dd95728efc418"},"downloads":-1,"filename":"pip-23.1.1-py3-none-any.whl","has_sig":false,"md5_digest":"869acc5f2bc85b78d0b6b82940a6afb8","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2064386,"upload_time":"2023-04-22T09:22:13","upload_time_iso_8601":"2023-04-22T09:22:13.255056Z","url":"https://files.pythonhosted.org/packages/f8/f8/17bd3f7c13515523d811ce4104410c16c03e3c6830f9276612e2f4b28382/pip-23.1.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"437d1f52f99a7f2eae870483b2c2a3064511487de87911bce146df8a154fbe81","md5":"3b5a00bdafd87c55332b16fb3764bd94","sha256":"c95b53d309f903f33dfe5fd37e502a5c3a05ee3454d518e45df522a4f091b728"},"downloads":-1,"filename":"pip-23.1.1.tar.gz","has_sig":false,"md5_digest":"3b5a00bdafd87c55332b16fb3764bd94","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2087384,"upload_time":"2023-04-22T09:22:16","upload_time_iso_8601":"2023-04-22T09:22:16.221224Z","url":"https://files.pythonhosted.org/packages/43/7d/1f52f99a7f2eae870483b2c2a3064511487de87911bce146df8a154fbe81/pip-23.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.1.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.1.2/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.1.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"08e357d4c24a050aa0bcca46b2920bff40847db79535dc78141eb83581a52eb8","md5":"58deb0635a7d5f57ec2d516ad7c69dd5","sha256":"3ef6ac33239e4027d9a5598a381b9d30880a1477e50039db2eac6e8a8f6d1b18"},"downloads":-1,"filename":"pip-23.1.2-py3-none-any.whl","has_sig":false,"md5_digest":"58deb0635a7d5f57ec2d516ad7c69dd5","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2064688,"upload_time":"2023-04-26T09:23:27","upload_time_iso_8601":"2023-04-26T09:23:27.085033Z","url":"https://files.pythonhosted.org/packages/08/e3/57d4c24a050aa0bcca46b2920bff40847db79535dc78141eb83581a52eb8/pip-23.1.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"faee74ff76da0ab649eec7581233daeb43d8aa35383d8f75317b2ab3b80c922f","md5":"dd899cacab913941c48f728ef596dafe","sha256":"0e7c86f486935893c708287b30bd050a36ac827ec7fe5e43fe7cb198dd835fba"},"downloads":-1,"filename":"pip-23.1.2.tar.gz","has_sig":false,"md5_digest":"dd899cacab913941c48f728ef596dafe","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2087568,"upload_time":"2023-04-26T09:23:29","upload_time_iso_8601":"2023-04-26T09:23:29.701678Z","url":"https://files.pythonhosted.org/packages/fa/ee/74ff76da0ab649eec7581233daeb43d8aa35383d8f75317b2ab3b80c922f/pip-23.1.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.2/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"0265f15431ddee78562355ccb39097bf9160a1689f2db40dc418754be98806a1","md5":"ebcdc6915c1620ac1d7e30a0f866a1c9","sha256":"78e5353a9dda374b462f2054f83a7b63f3f065c98236a68361845c1b0ee7e35f"},"downloads":-1,"filename":"pip-23.2-py3-none-any.whl","has_sig":false,"md5_digest":"ebcdc6915c1620ac1d7e30a0f866a1c9","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2085968,"upload_time":"2023-07-15T09:48:20","upload_time_iso_8601":"2023-07-15T09:48:20.980926Z","url":"https://files.pythonhosted.org/packages/02/65/f15431ddee78562355ccb39097bf9160a1689f2db40dc418754be98806a1/pip-23.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"3dab21fa8d1ecf5648559f056fda732b0f9fca0585eb2688252e67f70e74deaf","md5":"9e2676a0113612e58e6f9c0f268f82ee","sha256":"a160a170f3331d9ca1a0247eb1cd79c758879f1f81158f9cd05bbb5df80bea5c"},"downloads":-1,"filename":"pip-23.2.tar.gz","has_sig":false,"md5_digest":"9e2676a0113612e58e6f9c0f268f82ee","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2109011,"upload_time":"2023-07-15T09:48:23","upload_time_iso_8601":"2023-07-15T09:48:23.560233Z","url":"https://files.pythonhosted.org/packages/3d/ab/21fa8d1ecf5648559f056fda732b0f9fca0585eb2688252e67f70e74deaf/pip-23.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.2.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.2.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.2.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"50c2e06851e8cc28dcad7c155f4753da8833ac06a5c704c109313b8d5a62968a","md5":"371ebd0103cfa878280c2c615b0f80b8","sha256":"7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be"},"downloads":-1,"filename":"pip-23.2.1-py3-none-any.whl","has_sig":false,"md5_digest":"371ebd0103cfa878280c2c615b0f80b8","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2086091,"upload_time":"2023-07-22T09:17:31","upload_time_iso_8601":"2023-07-22T09:17:31.548131Z","url":"https://files.pythonhosted.org/packages/50/c2/e06851e8cc28dcad7c155f4753da8833ac06a5c704c109313b8d5a62968a/pip-23.2.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ba19e63fb4e0d20e48bd2167bb7e857abc0e21679e24805ba921a224df8977c0","md5":"e9b1226701a56ee3fcc81aba60d25d75","sha256":"fb0bd5435b3200c602b5bf61d2d43c2f13c02e29c1707567ae7fbc514eb9faf2"},"downloads":-1,"filename":"pip-23.2.1.tar.gz","has_sig":false,"md5_digest":"e9b1226701a56ee3fcc81aba60d25d75","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2109449,"upload_time":"2023-07-22T09:17:34","upload_time_iso_8601":"2023-07-22T09:17:34.056091Z","url":"https://files.pythonhosted.org/packages/ba/19/e63fb4e0d20e48bd2167bb7e857abc0e21679e24805ba921a224df8977c0/pip-23.2.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"23.3":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.3/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"e063b428aaca15fcd98c39b07ca7149e24bc14205ad0f1c80ba2b01835aedde1","md5":"41b6ff55d99f12e07fc084619944ebb2","sha256":"bc38bb52bc286514f8f7cb3a1ba5ed100b76aaef29b521d48574329331c5ae7b"},"downloads":-1,"filename":"pip-23.3-py3-none-any.whl","has_sig":false,"md5_digest":"41b6ff55d99f12e07fc084619944ebb2","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2106643,"upload_time":"2023-10-15T16:24:10","upload_time_iso_8601":"2023-10-15T16:24:10.166878Z","url":"https://files.pythonhosted.org/packages/e0/63/b428aaca15fcd98c39b07ca7149e24bc14205ad0f1c80ba2b01835aedde1/pip-23.3-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"0df607ef4561bb911285c229fa46ed3df1877bd6c5325c4c67d516560d59a6e6","md5":"a7e5f9021201103c5f273806b9500ffd","sha256":"bb7d4f69f488432e4e96394612f43ab43dd478d073ef7422604a570f7157561e"},"downloads":-1,"filename":"pip-23.3.tar.gz","has_sig":false,"md5_digest":"a7e5f9021201103c5f273806b9500ffd","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2131482,"upload_time":"2023-10-15T16:24:13","upload_time_iso_8601":"2023-10-15T16:24:13.549600Z","url":"https://files.pythonhosted.org/packages/0d/f6/07ef4561bb911285c229fa46ed3df1877bd6c5325c4c67d516560d59a6e6/pip-23.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[]},"23.3.1":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.3.1/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.3.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"476a453160888fab7c6a432a6e25f8afe6256d0d9f2cbd25971021da6491d899","md5":"5d2d058044a3ae2800d18e358ddc72ca","sha256":"55eb67bb6171d37447e82213be585b75fe2b12b359e993773aca4de9247a052b"},"downloads":-1,"filename":"pip-23.3.1-py3-none-any.whl","has_sig":false,"md5_digest":"5d2d058044a3ae2800d18e358ddc72ca","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2107242,"upload_time":"2023-10-21T11:10:25","upload_time_iso_8601":"2023-10-21T11:10:25.038576Z","url":"https://files.pythonhosted.org/packages/47/6a/453160888fab7c6a432a6e25f8afe6256d0d9f2cbd25971021da6491d899/pip-23.3.1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"1f7f4da15e07ccd11c84c1ccc8f6e24288d5e76c99441bf80e315b33542db951","md5":"f0c9fba61e9d9badcc9921062e993d84","sha256":"1fcaa041308d01f14575f6d0d2ea4b75a3e2871fe4f9c694976f908768e14174"},"downloads":-1,"filename":"pip-23.3.1.tar.gz","has_sig":false,"md5_digest":"f0c9fba61e9d9badcc9921062e993d84","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2132086,"upload_time":"2023-10-21T11:10:27","upload_time_iso_8601":"2023-10-21T11:10:27.989450Z","url":"https://files.pythonhosted.org/packages/1f/7f/4da15e07ccd11c84c1ccc8f6e24288d5e76c99441bf80e315b33542db951/pip-23.3.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[]},"23.3.2":{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/23.3.2/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"23.3.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"15aa3f4c7bcee2057a76562a5b33ecbd199be08cdb4443a02e26bd2c3cf6fc39","md5":"c98c21d96fb96b82756dd827438a32c7","sha256":"5052d7889c1f9d05224cd41741acb7c5d6fa735ab34e339624a614eaaa7e7d76"},"downloads":-1,"filename":"pip-23.3.2-py3-none-any.whl","has_sig":false,"md5_digest":"c98c21d96fb96b82756dd827438a32c7","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2109393,"upload_time":"2023-12-17T13:05:02","upload_time_iso_8601":"2023-12-17T13:05:02.424947Z","url":"https://files.pythonhosted.org/packages/15/aa/3f4c7bcee2057a76562a5b33ecbd199be08cdb4443a02e26bd2c3cf6fc39/pip-23.3.2-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"b7066b1ad0ae8f97d7a0d6f6ad640db10780578999e647a9593512ceb6f06469","md5":"38dd5f7ab301167df063405c7fc16c84","sha256":"7fd9972f96db22c8077a1ee2691b172c8089b17a5652a44494a9ecb0d78f9149"},"downloads":-1,"filename":"pip-23.3.2.tar.gz","has_sig":false,"md5_digest":"38dd5f7ab301167df063405c7fc16c84","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2132244,"upload_time":"2023-12-17T13:05:07","upload_time_iso_8601":"2023-12-17T13:05:07.339911Z","url":"https://files.pythonhosted.org/packages/b7/06/6b1ad0ae8f97d7a0d6f6ad640db10780578999e647a9593512ceb6f06469/pip-23.3.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[]},"24.0":{"info":{"author":"","author_email":"The pip developers <distutils-sig@python.org>","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"text/x-rst","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"","keywords":"","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/24.0/","requires_dist":null,"requires_python":">=3.7","summary":"The PyPA recommended tool for installing Python packages.","version":"24.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"8a6a19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b","md5":"74e3c5e4082113b1239ca0e9abfd1e82","sha256":"ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc"},"downloads":-1,"filename":"pip-24.0-py3-none-any.whl","has_sig":false,"md5_digest":"74e3c5e4082113b1239ca0e9abfd1e82","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.7","size":2110226,"upload_time":"2024-02-03T09:53:09","upload_time_iso_8601":"2024-02-03T09:53:09.575683Z","url":"https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"94596638090c25e9bc4ce0c42817b5a234e183872a1129735a9330c472cc2056","md5":"1331aabb4d1a2677f493effeebda3605","sha256":"ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2"},"downloads":-1,"filename":"pip-24.0.tar.gz","has_sig":false,"md5_digest":"1331aabb4d1a2677f493effeebda3605","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2132709,"upload_time":"2024-02-03T09:53:18","upload_time_iso_8601":"2024-02-03T09:53:18.999959Z","url":"https://files.pythonhosted.org/packages/94/59/6638090c25e9bc4ce0c42817b5a234e183872a1129735a9330c472cc2056/pip-24.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[]},"24.1b1":{"info":{"author":null,"author_email":"The pip developers <distutils-sig@python.org>","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Programming Language :: Python :: Implementation :: CPython","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"text/x-rst","docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":null,"keywords":null,"license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":null,"project_url":"https://pypi.org/project/pip/","project_urls":{"Changelog":"https://pip.pypa.io/en/stable/news/","Documentation":"https://pip.pypa.io","Homepage":"https://pip.pypa.io/","Source":"https://github.com/pypa/pip"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/24.1b1/","requires_dist":null,"requires_python":">=3.8","summary":"The PyPA recommended tool for installing Python packages.","version":"24.1b1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"1e6522725f8ba583376d0c300c3b9b52b9a67cfd93d786a80be73c167e45abc8","md5":"2dc5976f2fabb09e443dbeecd7a860e3","sha256":"752516cffafef5cf29d3fb2f06c978f27e98709654689cf277b2fce984c7a591"},"downloads":-1,"filename":"pip-24.1b1-py3-none-any.whl","has_sig":false,"md5_digest":"2dc5976f2fabb09e443dbeecd7a860e3","packagetype":"bdist_wheel","python_version":"py3","requires_python":">=3.8","size":1891289,"upload_time":"2024-05-06T20:49:04","upload_time_iso_8601":"2024-05-06T20:49:04.753442Z","url":"https://files.pythonhosted.org/packages/1e/65/22725f8ba583376d0c300c3b9b52b9a67cfd93d786a80be73c167e45abc8/pip-24.1b1-py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"7138b0cb3d68b4776b6208a2f16b6d444a848a1fe465a78ce4b7dbbeb8a4fc58","md5":"9f209db387bc4ea13469fcdea658b320","sha256":"a9bd4c037d72325b4e903ec3f383263deea3eb73cd01db7a844edd026fc68afe"},"downloads":-1,"filename":"pip-24.1b1.tar.gz","has_sig":false,"md5_digest":"9f209db387bc4ea13469fcdea658b320","packagetype":"sdist","python_version":"source","requires_python":">=3.8","size":1986051,"upload_time":"2024-05-06T20:49:10","upload_time_iso_8601":"2024-05-06T20:49:10.123215Z","url":"https://files.pythonhosted.org/packages/71/38/b0cb3d68b4776b6208a2f16b6d444a848a1fe465a78ce4b7dbbeb8a4fc58/pip-24.1b1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[]},"6.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"dc7c21191b5944b917b66e4e4e06d74f668d814b6e8a3ff7acd874479b6f6b3d","md5":"cc846e237fb69f98883550663da1dbc3","sha256":"5ec6732505bd8be49fe1f8ad557b88253ffb085736396df4d6bea753fc2a8f2c"},"downloads":-1,"filename":"pip-6.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"cc846e237fb69f98883550663da1dbc3","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1258033,"upload_time":"2014-12-22T16:16:26","upload_time_iso_8601":"2014-12-22T16:16:26.467841Z","url":"https://files.pythonhosted.org/packages/dc/7c/21191b5944b917b66e4e4e06d74f668d814b6e8a3ff7acd874479b6f6b3d/pip-6.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"38fd065c66a88398f240e344fdf496b9707f92d75f88eedc3d10ff847b28a657","md5":"fec85e88648bd2763668a419f7e2afef","sha256":"6103897f1bb68d3f933edd60f3e3830c4ea6b8abf7a4b500db148921b11f6c9b"},"downloads":-1,"filename":"pip-6.0.tar.gz","has_sig":false,"md5_digest":"fec85e88648bd2763668a419f7e2afef","packagetype":"sdist","python_version":"source","requires_python":null,"size":1190952,"upload_time":"2014-12-22T16:16:52","upload_time_iso_8601":"2014-12-22T16:16:52.995964Z","url":"https://files.pythonhosted.org/packages/38/fd/065c66a88398f240e344fdf496b9707f92d75f88eedc3d10ff847b28a657/pip-6.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.1/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"e97acdbc1a12ed52410d557e48d4646f4543e9e991ff32d2374dc6db849aa617","md5":"c673ccf89f50b0f2f1adf625b3199dba","sha256":"322aea7d1f7b9ee68ad87ac4704cad5df97f77e70668c0bd18f964c5daa78173"},"downloads":-1,"filename":"pip-6.0.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"c673ccf89f50b0f2f1adf625b3199dba","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1258374,"upload_time":"2014-12-22T22:53:44","upload_time_iso_8601":"2014-12-22T22:53:44.320960Z","url":"https://files.pythonhosted.org/packages/e9/7a/cdbc1a12ed52410d557e48d4646f4543e9e991ff32d2374dc6db849aa617/pip-6.0.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4dc38675b90cd89b9b222062f4f6c7e9d48b0387f5b35cbf747a74403a883e56","md5":"dcee4aafd8a8538640926354c5cda025","sha256":"fa2f7c68da4a405d673aa38542f9df009d60026db4f532429ac9cbfbda1f959d"},"downloads":-1,"filename":"pip-6.0.1.tar.gz","has_sig":false,"md5_digest":"dcee4aafd8a8538640926354c5cda025","packagetype":"sdist","python_version":"source","requires_python":null,"size":1191382,"upload_time":"2014-12-22T22:53:56","upload_time_iso_8601":"2014-12-22T22:53:56.140799Z","url":"https://files.pythonhosted.org/packages/4d/c3/8675b90cd89b9b222062f4f6c7e9d48b0387f5b35cbf747a74403a883e56/pip-6.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.2/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"713cb5a521e5e99cfff091e282231591f21193fd80de079ec5fb8ed9c6614044","md5":"26404d27a64a40d4c358a2405b16d043","sha256":"7d17b0f267f7c9cd17cd2924bbbe2b4a3d407322c0e09084ca3f1295c1fed50d"},"downloads":-1,"filename":"pip-6.0.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"26404d27a64a40d4c358a2405b16d043","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1258464,"upload_time":"2014-12-23T13:15:08","upload_time_iso_8601":"2014-12-23T13:15:08.881892Z","url":"https://files.pythonhosted.org/packages/71/3c/b5a521e5e99cfff091e282231591f21193fd80de079ec5fb8ed9c6614044/pip-6.0.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4c5af9e8e3de0153282c7cb54a9b991af225536ac914bac858ca664cf883bb3e","md5":"dd396e135b8abdd0097401cb8b66ea30","sha256":"6fa90667706a679e3dc75b27a51fddafa64401c45e96f8ae6c20978183290077"},"downloads":-1,"filename":"pip-6.0.2.tar.gz","has_sig":false,"md5_digest":"dd396e135b8abdd0097401cb8b66ea30","packagetype":"sdist","python_version":"source","requires_python":null,"size":1191608,"upload_time":"2014-12-23T13:15:23","upload_time_iso_8601":"2014-12-23T13:15:23.432872Z","url":"https://files.pythonhosted.org/packages/4c/5a/f9e8e3de0153282c7cb54a9b991af225536ac914bac858ca664cf883bb3e/pip-6.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.3":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.3/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"73cb3eebf42003791df29219a3dfa1874572aa16114b44c9b1b0ac66bf96e8c0","md5":"1ac546485f75a8cf257a8f1a40aa51f5","sha256":"b72655b6ac6aef1c86dd07f51e8ace8d7aabd6a1c4ff88db87155276fa32a073"},"downloads":-1,"filename":"pip-6.0.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"1ac546485f75a8cf257a8f1a40aa51f5","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1258585,"upload_time":"2014-12-24T01:16:05","upload_time_iso_8601":"2014-12-24T01:16:05.401094Z","url":"https://files.pythonhosted.org/packages/73/cb/3eebf42003791df29219a3dfa1874572aa16114b44c9b1b0ac66bf96e8c0/pip-6.0.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ce638d99ae60d11ae1a65f5d4fc39a529a598bd3b8e067132210cb0c4d9e9f74","md5":"1ca6788e57a176abbdf6d99d69f54ae0","sha256":"b091a35f5fa0faffac0b27b97e1e1e93ffe63b463c2ea8dbde0c1fb987933614"},"downloads":-1,"filename":"pip-6.0.3.tar.gz","has_sig":false,"md5_digest":"1ca6788e57a176abbdf6d99d69f54ae0","packagetype":"sdist","python_version":"source","requires_python":null,"size":1191776,"upload_time":"2014-12-24T01:16:16","upload_time_iso_8601":"2014-12-24T01:16:16.302066Z","url":"https://files.pythonhosted.org/packages/ce/63/8d99ae60d11ae1a65f5d4fc39a529a598bd3b8e067132210cb0c4d9e9f74/pip-6.0.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.4":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.4/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.4","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"c50ec974206726542bc495fc7443dd97834a6d14c2f0cba183fcfcd01075225a","md5":"0f654b22b335d01d15fdeb5f3291ecb5","sha256":"8dfd95de29a7a3bb1e7d368cc83d566938eb210b04d553ebfe5e3a422f4aec65"},"downloads":-1,"filename":"pip-6.0.4-py2.py3-none-any.whl","has_sig":false,"md5_digest":"0f654b22b335d01d15fdeb5f3291ecb5","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1260725,"upload_time":"2015-01-03T06:49:44","upload_time_iso_8601":"2015-01-03T06:49:44.714070Z","url":"https://files.pythonhosted.org/packages/c5/0e/c974206726542bc495fc7443dd97834a6d14c2f0cba183fcfcd01075225a/pip-6.0.4-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"02a1c90f19910ee153d7a0efca7216758121118d7e93084276541383fe9ca82e","md5":"787ceae3419c8938f4c068814deff4d5","sha256":"1dbbff9c369e510c7468ab68ba52c003f68f83c99c2f8259acd51099e8799f1e"},"downloads":-1,"filename":"pip-6.0.4.tar.gz","has_sig":false,"md5_digest":"787ceae3419c8938f4c068814deff4d5","packagetype":"sdist","python_version":"source","requires_python":null,"size":1193816,"upload_time":"2015-01-03T06:49:58","upload_time_iso_8601":"2015-01-03T06:49:58.026251Z","url":"https://files.pythonhosted.org/packages/02/a1/c90f19910ee153d7a0efca7216758121118d7e93084276541383fe9ca82e/pip-6.0.4.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.5":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.5/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.5","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"e91bc6a375a337fb576784cdea3700f6c3eaf1420f0a01458e6e034cc178a84a","md5":"1bd4c8c9d8d9a9a4434825a1e0b4bae6","sha256":"b2c20e3a2a43b2bbb1d19ad98be27eccc7b0f0ece016da602ccaa757a862b0e2"},"downloads":-1,"filename":"pip-6.0.5-py2.py3-none-any.whl","has_sig":false,"md5_digest":"1bd4c8c9d8d9a9a4434825a1e0b4bae6","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1260813,"upload_time":"2015-01-03T08:08:06","upload_time_iso_8601":"2015-01-03T08:08:06.280933Z","url":"https://files.pythonhosted.org/packages/e9/1b/c6a375a337fb576784cdea3700f6c3eaf1420f0a01458e6e034cc178a84a/pip-6.0.5-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"19f258628768f618c8c9fea878e0fb97730c0b8a838d3ab3f325768bf12dac94","md5":"b9c4607b294338870acca9ac45d528c4","sha256":"3bf42d28be9085ab2e9aecfd69a6da2d31563fe833304bf71a620a30c38ab8a2"},"downloads":-1,"filename":"pip-6.0.5.tar.gz","has_sig":false,"md5_digest":"b9c4607b294338870acca9ac45d528c4","packagetype":"sdist","python_version":"source","requires_python":null,"size":1193928,"upload_time":"2015-01-03T08:08:16","upload_time_iso_8601":"2015-01-03T08:08:16.335484Z","url":"https://files.pythonhosted.org/packages/19/f2/58628768f618c8c9fea878e0fb97730c0b8a838d3ab3f325768bf12dac94/pip-6.0.5.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.6":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.6/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.6","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"64fc4a49ccb18f55a0ceeb76e8d554bd4563217117492997825d194ed0017cc1","md5":"0472d9dc76a0df6cc6ab545e40aef832","sha256":"fb04f8afe1ba57626783f0c8e2f3d46bbaebaa446fcf124f434e968a2fee595e"},"downloads":-1,"filename":"pip-6.0.6-py2.py3-none-any.whl","has_sig":false,"md5_digest":"0472d9dc76a0df6cc6ab545e40aef832","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1260783,"upload_time":"2015-01-03T09:32:41","upload_time_iso_8601":"2015-01-03T09:32:41.561414Z","url":"https://files.pythonhosted.org/packages/64/fc/4a49ccb18f55a0ceeb76e8d554bd4563217117492997825d194ed0017cc1/pip-6.0.6-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"f6ced9e4e178b66c766c117f62ddf4fece019ef9d50127a8926d2f60300d615e","md5":"bbb17814bdf82187f46aaf9cec6b6caa","sha256":"3a14091299dcdb9bab9e9004ae67ac401f2b1b14a7c98de074ca74fdddf4bfa0"},"downloads":-1,"filename":"pip-6.0.6.tar.gz","has_sig":false,"md5_digest":"bbb17814bdf82187f46aaf9cec6b6caa","packagetype":"sdist","python_version":"source","requires_python":null,"size":1193930,"upload_time":"2015-01-03T09:32:52","upload_time_iso_8601":"2015-01-03T09:32:52.504452Z","url":"https://files.pythonhosted.org/packages/f6/ce/d9e4e178b66c766c117f62ddf4fece019ef9d50127a8926d2f60300d615e/pip-6.0.6.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.7":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.7/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.7","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"7a8e2bbd4fcf3ee06ee90ded5f39ec12f53165dfdb9ef25a981717ad38a16670","md5":"9a7ea5d89062613887b75e01e5d82c36","sha256":"93a326304c7db749896bcef822bbbac1ab29dad5651c6d732e245975239890e6"},"downloads":-1,"filename":"pip-6.0.7-py2.py3-none-any.whl","has_sig":false,"md5_digest":"9a7ea5d89062613887b75e01e5d82c36","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1263429,"upload_time":"2015-01-28T21:42:09","upload_time_iso_8601":"2015-01-28T21:42:09.190813Z","url":"https://files.pythonhosted.org/packages/7a/8e/2bbd4fcf3ee06ee90ded5f39ec12f53165dfdb9ef25a981717ad38a16670/pip-6.0.7-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"5285b160ebdaa84378df6bb0176d4eed9f57edca662446174eead7a9e2e566d6","md5":"26fa8f4c0f9a78c6c96ccfbcf34f5c31","sha256":"35a5a43ac6b7af83ed47ea5731a365f43d350a3a7267e039e5f06b61d42ab3c2"},"downloads":-1,"filename":"pip-6.0.7.tar.gz","has_sig":false,"md5_digest":"26fa8f4c0f9a78c6c96ccfbcf34f5c31","packagetype":"sdist","python_version":"source","requires_python":null,"size":1196938,"upload_time":"2015-01-28T21:42:18","upload_time_iso_8601":"2015-01-28T21:42:18.508628Z","url":"https://files.pythonhosted.org/packages/52/85/b160ebdaa84378df6bb0176d4eed9f57edca662446174eead7a9e2e566d6/pip-6.0.7.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.0.8":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.0.8/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.0.8","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"636555b71647adec1ad595bf0e5d76d028506dfc002df30c256f022ff7a660a5","md5":"41e73fae2c86ba2270ff51c1d86f7e09","sha256":"3c22b0a8ff92727bd737a82f72700790591f177541df08c07bc1f90d6b72ac19"},"downloads":-1,"filename":"pip-6.0.8-py2.py3-none-any.whl","has_sig":false,"md5_digest":"41e73fae2c86ba2270ff51c1d86f7e09","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1266491,"upload_time":"2015-02-05T02:28:50","upload_time_iso_8601":"2015-02-05T02:28:50.866282Z","url":"https://files.pythonhosted.org/packages/63/65/55b71647adec1ad595bf0e5d76d028506dfc002df30c256f022ff7a660a5/pip-6.0.8-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ef8ae3a980bc0a7f791d72c1302f65763ed300f2e14c907ac033e01b44c79e5e","md5":"2332e6f97e75ded3bddde0ced01dbda3","sha256":"0d58487a1b7f5be2e5e965c11afbea1dc44ecec8069de03491a4d0d6c85f4551"},"downloads":-1,"filename":"pip-6.0.8.tar.gz","has_sig":false,"md5_digest":"2332e6f97e75ded3bddde0ced01dbda3","packagetype":"sdist","python_version":"source","requires_python":null,"size":1200024,"upload_time":"2015-02-05T02:29:00","upload_time_iso_8601":"2015-02-05T02:29:00.595772Z","url":"https://files.pythonhosted.org/packages/ef/8a/e3a980bc0a7f791d72c1302f65763ed300f2e14c907ac033e01b44c79e5e/pip-6.0.8.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.1.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.1.0/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.1.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"24fb8a56a46243514681e569bbafd8146fa383476c4b7c725c8598c452366f31","md5":"94faa2660c3a2ebe7d015d62c8726259","sha256":"435a018f6d29e34d4f901bf4e6860d8a5fa1816b68d62008c18ca062a306db31"},"downloads":-1,"filename":"pip-6.1.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"94faa2660c3a2ebe7d015d62c8726259","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1117902,"upload_time":"2015-04-07T04:48:48","upload_time_iso_8601":"2015-04-07T04:48:48.874789Z","url":"https://files.pythonhosted.org/packages/24/fb/8a56a46243514681e569bbafd8146fa383476c4b7c725c8598c452366f31/pip-6.1.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"6c84432eb60bbcb414b9cdfcb135d5f4925e253c74e7d6916ada79990d6cc1a0","md5":"d0c349765bbc23743cec42b37bd8a281","sha256":"89f120e2ab3d25ab70c36eb28ad4f280fc9ba71736e74d3055f609c1f9173768"},"downloads":-1,"filename":"pip-6.1.0.tar.gz","has_sig":false,"md5_digest":"d0c349765bbc23743cec42b37bd8a281","packagetype":"sdist","python_version":"source","requires_python":null,"size":1051117,"upload_time":"2015-04-07T04:48:58","upload_time_iso_8601":"2015-04-07T04:48:58.958624Z","url":"https://files.pythonhosted.org/packages/6c/84/432eb60bbcb414b9cdfcb135d5f4925e253c74e7d6916ada79990d6cc1a0/pip-6.1.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"6.1.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/6.1.1/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"6.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"67f0ba0fb41dbdbfc4aa3e0c16b40269aca6b9e3d59cacdb646218aa2e9b1d2c","md5":"172eb5abab25a5e0f7a7b63c7a49378d","sha256":"a67e54aa0f26b6d62ccec5cc6735eff205dd0fed075f56ac3d3111e91e4467fc"},"downloads":-1,"filename":"pip-6.1.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"172eb5abab25a5e0f7a7b63c7a49378d","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1117916,"upload_time":"2015-04-07T10:43:14","upload_time_iso_8601":"2015-04-07T10:43:14.524332Z","url":"https://files.pythonhosted.org/packages/67/f0/ba0fb41dbdbfc4aa3e0c16b40269aca6b9e3d59cacdb646218aa2e9b1d2c/pip-6.1.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"bf85871c126b50b8ee0b9819e8a63b614aedd264577e73478caedcd447e8f28c","md5":"6b19e0a934d982a5a4b798e957cb6d45","sha256":"89f3b626d225e08e7f20d85044afa40f612eb3284484169813dc2d0631f2a556"},"downloads":-1,"filename":"pip-6.1.1.tar.gz","has_sig":false,"md5_digest":"6b19e0a934d982a5a4b798e957cb6d45","packagetype":"sdist","python_version":"source","requires_python":null,"size":1051205,"upload_time":"2015-04-07T10:43:26","upload_time_iso_8601":"2015-04-07T10:43:26.042225Z","url":"https://files.pythonhosted.org/packages/bf/85/871c126b50b8ee0b9819e8a63b614aedd264577e73478caedcd447e8f28c/pip-6.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"7.0.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/7.0.0/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"7.0.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5a9b56d3c18d0784d5f2bbd446ea2dc7ffa7476c35e3dc223741d20cfee3b185","md5":"c3d66bbb6a230538ac984a411567a322","sha256":"309c48399c7d68501a10ef206abd6e5c541fedbf84b95435d9063bd454b39df7"},"downloads":-1,"filename":"pip-7.0.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"c3d66bbb6a230538ac984a411567a322","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1118091,"upload_time":"2015-05-22T02:59:59","upload_time_iso_8601":"2015-05-22T02:59:59.774370Z","url":"https://files.pythonhosted.org/packages/5a/9b/56d3c18d0784d5f2bbd446ea2dc7ffa7476c35e3dc223741d20cfee3b185/pip-7.0.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"c6166475b142927ca5d03e3b7968efa5b0edd103e4684ecfde181a25f6fa2505","md5":"22d829cc0fab1d829f9374d67ad10c2a","sha256":"7b46bfc1b95494731de306a688e2a7bc056d7fa7ad27e026908fb2ae67fed23d"},"downloads":-1,"filename":"pip-7.0.0.tar.gz","has_sig":false,"md5_digest":"22d829cc0fab1d829f9374d67ad10c2a","packagetype":"sdist","python_version":"source","requires_python":null,"size":1053302,"upload_time":"2015-05-22T03:00:11","upload_time_iso_8601":"2015-05-22T03:00:11.819399Z","url":"https://files.pythonhosted.org/packages/c6/16/6475b142927ca5d03e3b7968efa5b0edd103e4684ecfde181a25f6fa2505/pip-7.0.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"7.0.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/7.0.1/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"7.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"5a10bb7a32c335bceba636aa673a4c977effa1e73a79f88856459486d8d670cf","md5":"9b403ba9b82d4a1e5fda5b6cc8952b57","sha256":"d26b8573ba1ac1ec99a9bdbdffee2ff2b06c7790815211d0eb4dc1462a089705"},"downloads":-1,"filename":"pip-7.0.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"9b403ba9b82d4a1e5fda5b6cc8952b57","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1118215,"upload_time":"2015-05-23T00:18:07","upload_time_iso_8601":"2015-05-23T00:18:07.637408Z","url":"https://files.pythonhosted.org/packages/5a/10/bb7a32c335bceba636aa673a4c977effa1e73a79f88856459486d8d670cf/pip-7.0.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"4a839ae4362a80739657e0c8bb628ea3fa0214a9aba7c8590dacc301ea293f73","md5":"5627bb807cf3d898a2eba276685537aa","sha256":"cfec177552fdd0b2d12b72651c8e874f955b4c62c1c2c9f2588cbdc1c0d0d416"},"downloads":-1,"filename":"pip-7.0.1.tar.gz","has_sig":false,"md5_digest":"5627bb807cf3d898a2eba276685537aa","packagetype":"sdist","python_version":"source","requires_python":null,"size":1053513,"upload_time":"2015-05-23T00:18:19","upload_time_iso_8601":"2015-05-23T00:18:19.529004Z","url":"https://files.pythonhosted.org/packages/4a/83/9ae4362a80739657e0c8bb628ea3fa0214a9aba7c8590dacc301ea293f73/pip-7.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"7.0.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/7.0.2/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"7.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"647f7107800ae0919a80afbf1ecba21b90890431c3ee79d700adac3c79cb6497","md5":"b0a1ae13afdc4db03d8b9afd91cd21f8","sha256":"83c869c5ab7113866e2d69641ec470d47f0faae68ca4550a289a4d3db515ad65"},"downloads":-1,"filename":"pip-7.0.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"b0a1ae13afdc4db03d8b9afd91cd21f8","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1118531,"upload_time":"2015-06-01T23:38:59","upload_time_iso_8601":"2015-06-01T23:38:59.844548Z","url":"https://files.pythonhosted.org/packages/64/7f/7107800ae0919a80afbf1ecba21b90890431c3ee79d700adac3c79cb6497/pip-7.0.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"75b166532c273bca0133e42c3b4540a1609289f16e3046f1830f18c60794d661","md5":"f01ba398ebf3aad2d0a4e05194dfdfbf","sha256":"ba28fa60b573a9444e7b78ccb3b0f261d1f66f46d20403f9dce37b18a6aed405"},"downloads":-1,"filename":"pip-7.0.2.tar.gz","has_sig":false,"md5_digest":"f01ba398ebf3aad2d0a4e05194dfdfbf","packagetype":"sdist","python_version":"source","requires_python":null,"size":1054071,"upload_time":"2015-06-01T23:39:13","upload_time_iso_8601":"2015-06-01T23:39:13.056904Z","url":"https://files.pythonhosted.org/packages/75/b1/66532c273bca0133e42c3b4540a1609289f16e3046f1830f18c60794d661/pip-7.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"7.0.3":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/7.0.3/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"7.0.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"967633a598ae42dd0554207d83c7acc60e3b166dbde723cbf282f1f73b7a127c","md5":"6950e1d775fea7ea50af690f72589dbd","sha256":"7b1cb03e827d58d2d05e68ea96a9e27487ed4b0afcd951ac6e40847ce94f0738"},"downloads":-1,"filename":"pip-7.0.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"6950e1d775fea7ea50af690f72589dbd","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1118548,"upload_time":"2015-06-02T01:30:16","upload_time_iso_8601":"2015-06-02T01:30:16.135291Z","url":"https://files.pythonhosted.org/packages/96/76/33a598ae42dd0554207d83c7acc60e3b166dbde723cbf282f1f73b7a127c/pip-7.0.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"35595b23115758ba0f2fc465c459611865173ef006202ba83f662d1f58ed2fb8","md5":"54cbf5ae000fb3af3367345f5d299d1c","sha256":"b4c598825a6f6dc2cac65968feb28e6be6c1f7f1408493c60a07eaa731a0affd"},"downloads":-1,"filename":"pip-7.0.3.tar.gz","has_sig":false,"md5_digest":"54cbf5ae000fb3af3367345f5d299d1c","packagetype":"sdist","python_version":"source","requires_python":null,"size":1054215,"upload_time":"2015-06-02T01:30:30","upload_time_iso_8601":"2015-06-02T01:30:30.679685Z","url":"https://files.pythonhosted.org/packages/35/59/5b23115758ba0f2fc465c459611865173ef006202ba83f662d1f58ed2fb8/pip-7.0.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"7.1.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/7.1.0/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"7.1.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"f7c09f8dac88326609b4b12b304e8382f64f7d5af7735a00d2fac36cf135fc30","md5":"b108384a762825ec20345bb9b5b7209f","sha256":"80c29f899d3a00a448d65f8158544d22935baec7159af8da1a4fa1490ced481d"},"downloads":-1,"filename":"pip-7.1.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"b108384a762825ec20345bb9b5b7209f","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1111835,"upload_time":"2015-06-30T23:12:13","upload_time_iso_8601":"2015-06-30T23:12:13.357882Z","url":"https://files.pythonhosted.org/packages/f7/c0/9f8dac88326609b4b12b304e8382f64f7d5af7735a00d2fac36cf135fc30/pip-7.1.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"7e713c6ece07a9a885650aa6607b0ebfdf6fc9a3ef8691c44b5e724e4eee7bf2","md5":"d935ee9146074b1d3f26c5f0acfd120e","sha256":"d5275ba3221182a5dd1b6bcfbfc5ec277fb399dd23226d6fa018048f7e0f10f2"},"downloads":-1,"filename":"pip-7.1.0.tar.gz","has_sig":false,"md5_digest":"d935ee9146074b1d3f26c5f0acfd120e","packagetype":"sdist","python_version":"source","requires_python":null,"size":1049267,"upload_time":"2015-06-30T23:12:17","upload_time_iso_8601":"2015-06-30T23:12:17.953147Z","url":"https://files.pythonhosted.org/packages/7e/71/3c6ece07a9a885650aa6607b0ebfdf6fc9a3ef8691c44b5e724e4eee7bf2/pip-7.1.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"7.1.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/7.1.1/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"7.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"1c56094d563c508917081bccff365e4f621ba33073c1c13aca9267a43cfcaf13","md5":"f7e937193b5a119d42736a0585293769","sha256":"ce13000878d34c1178af76cb8cf269e232c00508c78ed46c165dd5b0881615f4"},"downloads":-1,"filename":"pip-7.1.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"f7e937193b5a119d42736a0585293769","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1111330,"upload_time":"2015-08-20T21:26:04","upload_time_iso_8601":"2015-08-20T21:26:04.556203Z","url":"https://files.pythonhosted.org/packages/1c/56/094d563c508917081bccff365e4f621ba33073c1c13aca9267a43cfcaf13/pip-7.1.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"3bbbb3f2a95494fd3f01d3b3ae530e7c0e910dc25e88e30787b0a5e10cbc0640","md5":"9c30c61ca871f72465d882728ca24d93","sha256":"b22fe3c93a13fc7c04f145a42fd2ad50a9e3e1b8a7eed2e2b1c66e540a0951da"},"downloads":-1,"filename":"pip-7.1.1.tar.gz","has_sig":false,"md5_digest":"9c30c61ca871f72465d882728ca24d93","packagetype":"sdist","python_version":"source","requires_python":null,"size":1049099,"upload_time":"2015-08-20T21:26:12","upload_time_iso_8601":"2015-08-20T21:26:12.387000Z","url":"https://files.pythonhosted.org/packages/3b/bb/b3f2a95494fd3f01d3b3ae530e7c0e910dc25e88e30787b0a5e10cbc0640/pip-7.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"7.1.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.2","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":null,"downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":null,"maintainer_email":null,"name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/7.1.2/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'"],"requires_python":null,"summary":"The PyPA recommended tool for installing Python packages.","version":"7.1.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"b2d0cd115fe345dd6f07ec1c780020a7dfe74966fceeb171e0f20d1d4905b0b7","md5":"5ff9fec0be479e4e36df467556deed4d","sha256":"b9d3983b5cce04f842175e30169d2f869ef12c3546fd274083a65eada4e9708c"},"downloads":-1,"filename":"pip-7.1.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"5ff9fec0be479e4e36df467556deed4d","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1111358,"upload_time":"2015-08-22T22:48:12","upload_time_iso_8601":"2015-08-22T22:48:12.483602Z","url":"https://files.pythonhosted.org/packages/b2/d0/cd115fe345dd6f07ec1c780020a7dfe74966fceeb171e0f20d1d4905b0b7/pip-7.1.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"d0921e8406c15d9372084a5bf79d96da3a0acc4e7fcf0b80020a4820897d2a5c","md5":"3823d2343d9f3aaab21cf9c917710196","sha256":"ca047986f0528cfa975a14fb9f7f106271d4e0c3fe1ddced6c1db2e7ae57a477"},"downloads":-1,"filename":"pip-7.1.2.tar.gz","has_sig":false,"md5_digest":"3823d2343d9f3aaab21cf9c917710196","packagetype":"sdist","python_version":"source","requires_python":null,"size":1049170,"upload_time":"2015-08-22T22:48:23","upload_time_iso_8601":"2015-08-22T22:48:23.522680Z","url":"https://files.pythonhosted.org/packages/d0/92/1e8406c15d9372084a5bf79d96da3a0acc4e7fcf0b80020a4820897d2a5c/pip-7.1.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"8.0.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/8.0.0/","requires_dist":["mock; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":"","summary":"The PyPA recommended tool for installing Python packages.","version":"8.0.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"00aebddef02881ee09c6a01a0d6541aa6c75a226a4e68b041be93142befa0cd6","md5":"7b1da5eba510e1631791dcf300657916","sha256":"262ed1823eb7fbe3f18a9bedb4800e59c4ab9a6682aff8c37b5ee83ea840910b"},"downloads":-1,"filename":"pip-8.0.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"7b1da5eba510e1631791dcf300657916","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1188709,"upload_time":"2016-01-20T00:41:09","upload_time_iso_8601":"2016-01-20T00:41:09.360022Z","url":"https://files.pythonhosted.org/packages/00/ae/bddef02881ee09c6a01a0d6541aa6c75a226a4e68b041be93142befa0cd6/pip-8.0.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"e32d03c014d11e66628abf2fda5ca00f779cbe7b5292c5cd13d42a95b94aa9b8","md5":"5601c4323464add1482291634142894d","sha256":"90112b296152f270cb8dddcd19b7b87488d9e002e8cf622e14c4da9c2f6319b1"},"downloads":-1,"filename":"pip-8.0.0.tar.gz","has_sig":false,"md5_digest":"5601c4323464add1482291634142894d","packagetype":"sdist","python_version":"source","requires_python":null,"size":1129857,"upload_time":"2016-01-20T00:43:08","upload_time_iso_8601":"2016-01-20T00:43:08.426906Z","url":"https://files.pythonhosted.org/packages/e3/2d/03c014d11e66628abf2fda5ca00f779cbe7b5292c5cd13d42a95b94aa9b8/pip-8.0.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"8.0.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/8.0.1/","requires_dist":["mock; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":"","summary":"The PyPA recommended tool for installing Python packages.","version":"8.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"459c6f9a24917c860873e2ce7bd95b8f79897524353df51d5d920cd6b6c1ec33","md5":"114a650ae146ba04d9c8e1ae691e4e44","sha256":"dedaac846bc74e38a3253671f51a056331ffca1da70e3f48d8128f2aa0635bba"},"downloads":-1,"filename":"pip-8.0.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"114a650ae146ba04d9c8e1ae691e4e44","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1189821,"upload_time":"2016-01-21T19:35:44","upload_time_iso_8601":"2016-01-21T19:35:44.204866Z","url":"https://files.pythonhosted.org/packages/45/9c/6f9a24917c860873e2ce7bd95b8f79897524353df51d5d920cd6b6c1ec33/pip-8.0.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ea66a3d6187bd307159fedf8575c0d9ee2294d13b1cdd11673ca812e6a2dda8f","md5":"21db6796276402d0f48f0ccfee2abdac","sha256":"477c50b3e538a7ac0fa611fb8b877b04b33fb70d325b12a81b9dbf3eb1158a4d"},"downloads":-1,"filename":"pip-8.0.1.tar.gz","has_sig":false,"md5_digest":"21db6796276402d0f48f0ccfee2abdac","packagetype":"sdist","python_version":"source","requires_python":null,"size":1131239,"upload_time":"2016-01-21T19:35:51","upload_time_iso_8601":"2016-01-21T19:35:51.520974Z","url":"https://files.pythonhosted.org/packages/ea/66/a3d6187bd307159fedf8575c0d9ee2294d13b1cdd11673ca812e6a2dda8f/pip-8.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"8.0.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/8.0.2/","requires_dist":["mock; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":"","summary":"The PyPA recommended tool for installing Python packages.","version":"8.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"e7a0bd35f5f978a5e925953ce02fa0f078a232f0f10fcbe543d8cfc043f74fda","md5":"2056f553d5b593d3a970296f229c1b79","sha256":"249a6f3194be8c2e8cb4d4be3f6fd16a9f1e3336218caffa8e7419e3816f9988"},"downloads":-1,"filename":"pip-8.0.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"2056f553d5b593d3a970296f229c1b79","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1188805,"upload_time":"2016-01-21T23:49:36","upload_time_iso_8601":"2016-01-21T23:49:36.011163Z","url":"https://files.pythonhosted.org/packages/e7/a0/bd35f5f978a5e925953ce02fa0f078a232f0f10fcbe543d8cfc043f74fda/pip-8.0.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"ce15ee1f9a84365423e9ef03d0f9ed0eba2fb00ac1fffdd33e7b52aea914d0f8","md5":"3a73c4188f8dbad6a1e6f6d44d117eeb","sha256":"46f4bd0d8dfd51125a554568d646fe4200a3c2c6c36b9f2d06d2212148439521"},"downloads":-1,"filename":"pip-8.0.2.tar.gz","has_sig":false,"md5_digest":"3a73c4188f8dbad6a1e6f6d44d117eeb","packagetype":"sdist","python_version":"source","requires_python":null,"size":1130183,"upload_time":"2016-01-21T23:49:42","upload_time_iso_8601":"2016-01-21T23:49:42.461044Z","url":"https://files.pythonhosted.org/packages/ce/15/ee1f9a84365423e9ef03d0f9ed0eba2fb00ac1fffdd33e7b52aea914d0f8/pip-8.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"8.0.3":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/8.0.3/","requires_dist":["mock; extra == 'testing'","pretend; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":"","summary":"The PyPA recommended tool for installing Python packages.","version":"8.0.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"aed42b127310f5364610b74c28e2e6a40bc19e2d3c9a9a4e012d3e333e767c99","md5":"b234250205337ff67967dff300001e3d","sha256":"b0335bc837f9edb5aad03bd43d0973b084a1cbe616f8188dc23ba13234dbd552"},"downloads":-1,"filename":"pip-8.0.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"b234250205337ff67967dff300001e3d","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1190016,"upload_time":"2016-02-25T17:19:05","upload_time_iso_8601":"2016-02-25T17:19:05.770642Z","url":"https://files.pythonhosted.org/packages/ae/d4/2b127310f5364610b74c28e2e6a40bc19e2d3c9a9a4e012d3e333e767c99/pip-8.0.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"22f314bc87a4f6b5ec70b682765978a6f3105bf05b6781fa97e04d30138bd264","md5":"8f000fc101e47f4f199fa29df1e0b0df","sha256":"30f98b66f3fe1069c529a491597d34a1c224a68640c82caf2ade5f88aa1405e8"},"downloads":-1,"filename":"pip-8.0.3.tar.gz","has_sig":false,"md5_digest":"8f000fc101e47f4f199fa29df1e0b0df","packagetype":"sdist","python_version":"source","requires_python":null,"size":1131758,"upload_time":"2016-02-25T17:19:21","upload_time_iso_8601":"2016-02-25T17:19:21.542588Z","url":"https://files.pythonhosted.org/packages/22/f3/14bc87a4f6b5ec70b682765978a6f3105bf05b6781fa97e04d30138bd264/pip-8.0.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"8.1.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/8.1.0/","requires_dist":["mock; extra == 'testing'","pretend; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":"","summary":"The PyPA recommended tool for installing Python packages.","version":"8.1.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"1ec778440b3fb882ed001e6e12d8770bd45e73d6eced4e57f7c072b829ce8a3d","md5":"c6eca6736b2b8f7280fb25e44be7c51b","sha256":"a542b99e08002ead83200198e19a3983270357e1cb4fe704247990b5b35471dc"},"downloads":-1,"filename":"pip-8.1.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"c6eca6736b2b8f7280fb25e44be7c51b","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1197452,"upload_time":"2016-03-05T16:57:24","upload_time_iso_8601":"2016-03-05T16:57:24.463525Z","url":"https://files.pythonhosted.org/packages/1e/c7/78440b3fb882ed001e6e12d8770bd45e73d6eced4e57f7c072b829ce8a3d/pip-8.1.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"3c726981d5adf880adecb066a1a1a4c312a17f8d787a3b85446967964ac66d55","md5":"e9c3844db343f47d16040b32ad9072be","sha256":"d8faa75dd7d0737b16d50cd0a56dc91a631c79ecfd8d38b80f6ee929ec82043e"},"downloads":-1,"filename":"pip-8.1.0.tar.gz","has_sig":false,"md5_digest":"e9c3844db343f47d16040b32ad9072be","packagetype":"sdist","python_version":"source","requires_python":null,"size":1138794,"upload_time":"2016-03-05T16:57:31","upload_time_iso_8601":"2016-03-05T16:57:31.730134Z","url":"https://files.pythonhosted.org/packages/3c/72/6981d5adf880adecb066a1a1a4c312a17f8d787a3b85446967964ac66d55/pip-8.1.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"8.1.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/8.1.1/","requires_dist":["mock; extra == 'testing'","pretend; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":"","summary":"The PyPA recommended tool for installing Python packages.","version":"8.1.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"316a0f19a7edef6c8e5065f4346137cc2a08e22e141942d66af2e1e72d851462","md5":"22db7b6a517a09c29d54a76650f170eb","sha256":"44b9c342782ab905c042c207d995aa069edc02621ddbdc2b9f25954a0fdac25c"},"downloads":-1,"filename":"pip-8.1.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"22db7b6a517a09c29d54a76650f170eb","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1197664,"upload_time":"2016-03-17T13:53:43","upload_time_iso_8601":"2016-03-17T13:53:43.930269Z","url":"https://files.pythonhosted.org/packages/31/6a/0f19a7edef6c8e5065f4346137cc2a08e22e141942d66af2e1e72d851462/pip-8.1.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"41279a8d24e1b55bd8c85e4d022da2922cb206f183e2d18fee4e320c9547e751","md5":"6b86f11841e89c8241d689956ba99ed7","sha256":"3e78d3066aaeb633d185a57afdccf700aa2e660436b4af618bcb6ff0fa511798"},"downloads":-1,"filename":"pip-8.1.1.tar.gz","has_sig":false,"md5_digest":"6b86f11841e89c8241d689956ba99ed7","packagetype":"sdist","python_version":"source","requires_python":null,"size":1139175,"upload_time":"2016-03-17T13:53:50","upload_time_iso_8601":"2016-03-17T13:53:50.356327Z","url":"https://files.pythonhosted.org/packages/41/27/9a8d24e1b55bd8c85e4d022da2922cb206f183e2d18fee4e320c9547e751/pip-8.1.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"8.1.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"UNKNOWN","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/8.1.2/","requires_dist":["mock; extra == 'testing'","pretend; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":"","summary":"The PyPA recommended tool for installing Python packages.","version":"8.1.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"9c32004ce0852e0a127f07f358b715015763273799bd798956fa930814b60f39","md5":"0570520434c5b600d89ec95393b2650b","sha256":"6464dd9809fb34fc8df2bf49553bb11dac4c13d2ffa7a4f8038ad86a4ccb92a1"},"downloads":-1,"filename":"pip-8.1.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"0570520434c5b600d89ec95393b2650b","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":null,"size":1198961,"upload_time":"2016-05-11T00:40:59","upload_time_iso_8601":"2016-05-11T00:40:59.205444Z","url":"https://files.pythonhosted.org/packages/9c/32/004ce0852e0a127f07f358b715015763273799bd798956fa930814b60f39/pip-8.1.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"e7a87556133689add8d1a54c0b14aeff0acb03c64707ce100ecd53934da1aa13","md5":"87083c0b9867963b29f7aba3613e8f4a","sha256":"4d24b03ffa67638a3fa931c09fd9e0273ffa904e95ebebe7d4b1a54c93d7b732"},"downloads":-1,"filename":"pip-8.1.2.tar.gz","has_sig":false,"md5_digest":"87083c0b9867963b29f7aba3613e8f4a","packagetype":"sdist","python_version":"source","requires_python":null,"size":1140573,"upload_time":"2016-05-11T00:41:13","upload_time_iso_8601":"2016-05-11T00:41:13.886195Z","url":"https://files.pythonhosted.org/packages/e7/a8/7556133689add8d1a54c0b14aeff0acb03c64707ce100ecd53934da1aa13/pip-8.1.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"9.0.0":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/9.0.0/","requires_dist":["mock; extra == 'testing'","pretend; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"9.0.0","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"3fef935d9296acc4f48d1791ee56a73781271dce9712b059b475d3f5fa78487b","md5":"55f554c8be55cba2a766e40fdb1bb25d","sha256":"c856ac18ca01e7127456f831926dc67cc7d3ab663f4c13b1ec156e36db4de574"},"downloads":-1,"filename":"pip-9.0.0-py2.py3-none-any.whl","has_sig":false,"md5_digest":"55f554c8be55cba2a766e40fdb1bb25d","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1254648,"upload_time":"2016-11-02T18:24:13","upload_time_iso_8601":"2016-11-02T18:24:13.838119Z","url":"https://files.pythonhosted.org/packages/3f/ef/935d9296acc4f48d1791ee56a73781271dce9712b059b475d3f5fa78487b/pip-9.0.0-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"5e53eaef47e5e2f75677c9de0737acc84b659b78a71c4086f424f55346a341b5","md5":"def0a8e3db26f896c128d063591bd008","sha256":"f62fb70e7e000e46fce12aaeca752e5281a5446977fe5a75ab4189a43b3f8793"},"downloads":-1,"filename":"pip-9.0.0.tar.gz","has_sig":false,"md5_digest":"def0a8e3db26f896c128d063591bd008","packagetype":"sdist","python_version":"source","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1197043,"upload_time":"2016-11-02T18:24:19","upload_time_iso_8601":"2016-11-02T18:24:19.320860Z","url":"https://files.pythonhosted.org/packages/5e/53/eaef47e5e2f75677c9de0737acc84b659b78a71c4086f424f55346a341b5/pip-9.0.0.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"9.0.1":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":null,"docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/9.0.1/","requires_dist":["mock; extra == 'testing'","pretend; extra == 'testing'","pytest; extra == 'testing'","scripttest (>=1.3); extra == 'testing'","virtualenv (>=1.10); extra == 'testing'"],"requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"9.0.1","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"b6ac7015eb97dc749283ffdec1c3a88ddb8ae03b8fad0f0e611408f196358da3","md5":"297dbd16ef53bcef0447d245815f5144","sha256":"690b762c0a8460c303c089d5d0be034fb15a5ea2b75bdf565f40421f542fefb0"},"downloads":-1,"filename":"pip-9.0.1-py2.py3-none-any.whl","has_sig":false,"md5_digest":"297dbd16ef53bcef0447d245815f5144","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1254803,"upload_time":"2016-11-06T18:51:46","upload_time_iso_8601":"2016-11-06T18:51:46.325407Z","url":"https://files.pythonhosted.org/packages/b6/ac/7015eb97dc749283ffdec1c3a88ddb8ae03b8fad0f0e611408f196358da3/pip-9.0.1-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"11b6abcb525026a4be042b486df43905d6893fb04f05aac21c32c638e939e447","md5":"35f01da33009719497f01a4ba69d63c9","sha256":"09f243e1a7b461f654c26a725fa373211bb7ff17a9300058b205c61658ca940d"},"downloads":-1,"filename":"pip-9.0.1.tar.gz","has_sig":false,"md5_digest":"35f01da33009719497f01a4ba69d63c9","packagetype":"sdist","python_version":"source","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1197370,"upload_time":"2016-11-06T18:51:51","upload_time_iso_8601":"2016-11-06T18:51:51.469799Z","url":"https://files.pythonhosted.org/packages/11/b6/abcb525026a4be042b486df43905d6893fb04f05aac21c32c638e939e447/pip-9.0.1.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"9.0.2":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/9.0.2/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'","pretend; extra == 'testing'"],"requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"9.0.2","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"e7f9e801dcea22886cd513f6bd2e8f7e581bd6f67bb8e8f1cd8e7b92d8539280","md5":"815c59ab81d53843067e5cc7c4e8151b","sha256":"b135491ddb061f39719b8472d8abb59c613816a2b86069c332db74d1cd208ab2"},"downloads":-1,"filename":"pip-9.0.2-py2.py3-none-any.whl","has_sig":false,"md5_digest":"815c59ab81d53843067e5cc7c4e8151b","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1400942,"upload_time":"2018-03-17T03:40:44","upload_time_iso_8601":"2018-03-17T03:40:44.170876Z","url":"https://files.pythonhosted.org/packages/e7/f9/e801dcea22886cd513f6bd2e8f7e581bd6f67bb8e8f1cd8e7b92d8539280/pip-9.0.2-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"e58f3fc66461992dc9e9fcf5e005687d5f676729172dda640df2fd8b597a6da7","md5":"2fddd680422326b9d1fbf56112cf341d","sha256":"88110a224e9d30e5d76592a0b2130ef10e7e67a6426e8617bb918fffbfe91fe5"},"downloads":-1,"filename":"pip-9.0.2.tar.gz","has_sig":false,"md5_digest":"2fddd680422326b9d1fbf56112cf341d","packagetype":"sdist","python_version":"source","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1343063,"upload_time":"2018-03-17T03:41:51","upload_time_iso_8601":"2018-03-17T03:41:51.929427Z","url":"https://files.pythonhosted.org/packages/e5/8f/3fc66461992dc9e9fcf5e005687d5f676729172dda640df2fd8b597a6da7/pip-9.0.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]},"9.0.3":{"info":{"author":"The pip developers","author_email":"python-virtualenv@groups.google.com","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python :: 2","Programming Language :: Python :: 2.6","Programming Language :: Python :: 2.7","Programming Language :: Python :: 3","Programming Language :: Python :: 3.3","Programming Language :: Python :: 3.4","Programming Language :: Python :: 3.5","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development :: Build Tools"],"description_content_type":"","docs_url":null,"download_url":"","downloads":{"last_day":-1,"last_month":-1,"last_week":-1},"dynamic":null,"home_page":"https://pip.pypa.io/","keywords":"easy_install distutils setuptools egg virtualenv","license":"MIT","maintainer":"","maintainer_email":"","name":"pip","package_url":"https://pypi.org/project/pip/","platform":"","project_url":"https://pypi.org/project/pip/","project_urls":{"Homepage":"https://pip.pypa.io/"},"provides_extra":null,"release_url":"https://pypi.org/project/pip/9.0.3/","requires_dist":["pytest; extra == 'testing'","virtualenv (>=1.10); extra == 'testing'","scripttest (>=1.3); extra == 'testing'","mock; extra == 'testing'","pretend; extra == 'testing'"],"requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","summary":"The PyPA recommended tool for installing Python packages.","version":"9.0.3","yanked":false,"yanked_reason":null},"last_serial":23083893,"urls":[{"comment_text":"","digests":{"blake2b_256":"ac95a05b56bb975efa78d3557efa36acaf9cf5d2fd0ee0062060493687432e03","md5":"d512ceb964f38ba31addb8142bc657cb","sha256":"c3ede34530e0e0b2381e7363aded78e0c33291654937e7373032fda04e8803e5"},"downloads":-1,"filename":"pip-9.0.3-py2.py3-none-any.whl","has_sig":false,"md5_digest":"d512ceb964f38ba31addb8142bc657cb","packagetype":"bdist_wheel","python_version":"py2.py3","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1400985,"upload_time":"2018-03-22T01:09:39","upload_time_iso_8601":"2018-03-22T01:09:39.999512Z","url":"https://files.pythonhosted.org/packages/ac/95/a05b56bb975efa78d3557efa36acaf9cf5d2fd0ee0062060493687432e03/pip-9.0.3-py2.py3-none-any.whl","yanked":false,"yanked_reason":null},{"comment_text":"","digests":{"blake2b_256":"c444e6b8056b6c8f2bfd1445cc9990f478930d8e3459e9dbf5b8e2d2922d64d3","md5":"b15b33f9aad61f88d0f8c866d16c55d8","sha256":"7bf48f9a693be1d58f49f7af7e0ae9fe29fd671cde8a55e6edca3581c4ef5796"},"downloads":-1,"filename":"pip-9.0.3.tar.gz","has_sig":false,"md5_digest":"b15b33f9aad61f88d0f8c866d16c55d8","packagetype":"sdist","python_version":"source","requires_python":">=2.6,!=3.0.*,!=3.1.*,!=3.2.*","size":1343076,"upload_time":"2018-03-22T01:09:43","upload_time_iso_8601":"2018-03-22T01:09:43.526189Z","url":"https://files.pythonhosted.org/packages/c4/44/e6b8056b6c8f2bfd1445cc9990f478930d8e3459e9dbf5b8e2d2922d64d3/pip-9.0.3.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[{"aliases":["CVE-2019-20916","GHSA-gpvv-69j7-gwj8"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","fixed_in":["19.2"],"id":"PYSEC-2020-173","link":"https://osv.dev/vulnerability/PYSEC-2020-173","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572","GHSA-5xp3-jfq3-5q8x"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"PYSEC-2021-437","link":"https://osv.dev/vulnerability/PYSEC-2021-437","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2019-20916"],"details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.","fixed_in":["19.2"],"id":"GHSA-gpvv-69j7-gwj8","link":"https://osv.dev/vulnerability/GHSA-gpvv-69j7-gwj8","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2021-3572"],"details":"A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.","fixed_in":["21.1"],"id":"GHSA-5xp3-jfq3-5q8x","link":"https://osv.dev/vulnerability/GHSA-5xp3-jfq3-5q8x","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.","fixed_in":["23.3"],"id":"GHSA-mq26-g339-26xf","link":"https://osv.dev/vulnerability/GHSA-mq26-g339-26xf","source":"osv","summary":null,"withdrawn":null},{"aliases":["CVE-2023-5752"],"details":"When installing a package from a Mercurial VCS URL  (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n","fixed_in":["23.3"],"id":"PYSEC-2023-228","link":"https://osv.dev/vulnerability/PYSEC-2023-228","source":"osv","summary":null,"withdrawn":null}]}}