rpm package
opensuse/python-pip&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-pip&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-3219 | Med | — | < 26.1-1.1 | 26.1-1.1 | Apr 20, 2026 | pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior | |
| CVE-2026-1703 | Low | — | < 26.0.1-1.1 | 26.0.1-1.1 | Feb 2, 2026 | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat | |
| CVE-2013-5123 | — | < 9.0.1-1.1 | 9.0.1-1.1 | Nov 5, 2019 | The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. | ||
| CVE-2015-2296 | — | < 9.0.1-1.1 | 9.0.1-1.1 | Mar 18, 2015 | The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. | ||
| CVE-2014-8991 | — | < 9.0.1-1.1 | 9.0.1-1.1 | Nov 24, 2014 | pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. |
- affected < 26.1-1.1fixed 26.1-1.1
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior
- affected < 26.0.1-1.1fixed 26.0.1-1.1
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat
- CVE-2013-5123Nov 5, 2019affected < 9.0.1-1.1fixed 9.0.1-1.1
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
- CVE-2015-2296Mar 18, 2015affected < 9.0.1-1.1fixed 9.0.1-1.1
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
- CVE-2014-8991Nov 24, 2014affected < 9.0.1-1.1fixed 9.0.1-1.1
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.