Home » Database

AVID-2026-R1585

Description

Remote Code Execution in pypa/setuptools (CVE-2024-6345)

Details

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Reason for inclusion in AVID: CVE-2024-6345 describes a remote code execution vulnerability in pypa/setuptools via its package_index download functionality. This is a security vulnerability in a core packaging/dependency tool. Setuptools is widely used in Python-based AI/ML pipelines for installing dependencies, packaging, and deployment workflows, making it relevant to the AI software supply chain. The advisory provides explicit vulnerability details, affected components, impact, and a fixed version, offering sufficient signal for curation.

References

Affected or Relevant Artifacts

  • Developer: pypa
  • Deployer: pypa
  • Artifact Details:
TypeName
Systempypa/setuptools

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score8.8
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionREQUIRED
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-94CWE-94 Improper Control of Generation of Code

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-07-15
  • Version: 0.3.3
  • AVID Entry