CVE-2021-3572: Input Validation
First published: Sat Apr 24 2021(Updated: )
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-pip | <0:9.0.3-20.el8 | 0:9.0.3-20.el8 |
| redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
| redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
| redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
| redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
| redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
| redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
| redhat/python-pip | <21.1 | 21.1 |
| pip/pip | <21.1 | 21.1 |
| pypa pip | <21.1 | |
| Oracle Agile PLM | =9.3.6 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =22.1.0 | |
| Oracle Communications Cloud Native Core Policy | =1.15.0 | |
| Oracle Communications Cloud Native Core Policy | =22.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-3572 https://nvd.nist.gov/vuln/detail/CVE-2021-3572
- https://bugzilla.redhat.com/show_bug.cgi?id=1962856
- https://access.redhat.com/errata/RHSA-2021:4160
- https://access.redhat.com/errata/RHSA-2021:4162
- https://access.redhat.com/errata/RHSA-2021:4455
- https://access.redhat.com/errata/RHSA-2021:3254
- https://access.redhat.com/security/cve/CVE-2021-3572
- https://packetstormsecurity.com/files/162712/USN-4961-1.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962857
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962858
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962856#c1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962856#c2
- https://github.com/pypa/pip/pull/9827
- https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
- https://github.com/pypa/pip/blob/281eb61b09d87765d7c2b92f6982b3fe76ccb0af/pip/compat/__init__.py#L70-L90
- https://github.com/frenzymadness/CVE-2021-3572.git@original_version
- https://github.com/frenzymadness/CVE-2021-3572.git
- https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version
- https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git
- https://access.redhat.com/security/cve/cve-2021-3572
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-3572
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/advisories/GHSA-5xp3-jfq3-5q8x (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/208954
- https://www.ibm.com/support/pages/node/7159332 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-3572?
CVE-2021-3572 is a vulnerability found in python-pip that allows a remote attacker to install a different revision on a repository.
What is the severity of CVE-2021-3572?
CVE-2021-3572 has a severity level of medium.
How does CVE-2021-3572 affect data integrity?
CVE-2021-3572 poses a threat to data integrity.
How can I fix CVE-2021-3572?
To fix CVE-2021-3572, update python-pip to version 21.1.
Where can I find more information about CVE-2021-3572?
You can find more information about CVE-2021-3572 at the following references: [link1](https://packetstormsecurity.com/files/162712/USN-4961-1.txt), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962857), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962858).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3572
- agent/software-canonical-lookup
- agent/description
- agent/author
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory
- source/GitHub
- alias/GHSA-5xp3-jfq3-5q8x
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/github-advisory-latest
- package-manager/redhat
- vendor/pypa
- canonical/pypa pip
- vendor/oracle
- canonical/oracle agile plm
- version/oracle agile plm/9.3.6
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.10.0
- version/oracle communications cloud native core network function cloud native environment/22.1.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- version/oracle communications cloud native core policy/22.1.3
- package-manager/pip