{"id":"CVE-2019-20916","details":"The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.","aliases":["GHSA-gpvv-69j7-gwj8","PYSEC-2020-173"],"modified":"2026-04-16T04:38:57.483109264Z","published":"2020-09-04T20:15:11.013Z","related":["ALSA-2020:4654","SUSE-FU-2021:2130-1","SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-SU-2020:2698-1","SUSE-SU-2020:2726-1","SUSE-SU-2020:2784-1","SUSE-SU-2020:3016-1","SUSE-SU-2020:3563-1","SUSE-SU-2020:3565-1","SUSE-SU-2020:3566-1","SUSE-SU-2020:3593-1","SUSE-SU-2020:3594-1","SUSE-SU-2020:3596-1","SUSE-SU-2020:3597-1","SUSE-SU-2020:3599-1","SUSE-SU-2020:3737-1","SUSE-SU-2020:3765-1","SUSE-SU-2020:3865-1","SUSE-SU-2021:0344-1","SUSE-SU-2021:0355-1","SUSE-SU-2021:0428-1","SUSE-SU-2021:0432-1","SUSE-SU-2021:0529-1","SUSE-SU-2022:1454-1","SUSE-SU-2023:0516-2","openSUSE-SU-2020:1598-1","openSUSE-SU-2020:1613-1","openSUSE-SU-2020:2143-1","openSUSE-SU-2020:2152-1","openSUSE-SU-2020:2169-1","openSUSE-SU-2020:2184-1","openSUSE-SU-2020:2185-1","openSUSE-SU-2020:2189-1","openSUSE-SU-2020:2190-1","openSUSE-SU-2020:2211-1","openSUSE-SU-2021:0270-1","openSUSE-SU-2021:0331-1","openSUSE-SU-2024:11251-1","openSUSE-SU-2024:11272-1","openSUSE-SU-2024:11284-1","openSUSE-SU-2024:11285-1","openSUSE-SU-2024:11551-1","openSUSE-SU-2024:13916-1","openSUSE-SU-2024:14029-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html"},{"type":"FIX","url":"https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace"},{"type":"FIX","url":"https://github.com/pypa/pip/compare/19.1.1...19.2"},{"type":"FIX","url":"https://github.com/pypa/pip/issues/6413"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gzpan123/pip","events":[{"introduced":"0"},{"fixed":"a4c735b14a62f9cb864533808ac63936704f2ace"}]},{"type":"GIT","repo":"https://github.com/pypa/pip","events":[{"introduced":"0"},{"fixed":"0e642958ada570358c3e095b28d78b6196c56a35"},{"introduced":"0"},{"last_affected":"1ee0501791ac56f5476d4c104592eb1a17ab1b2e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"19.2"},{"introduced":"0"},{"last_affected":"9.0"}]}}],"versions":["0.3","0.6","0.7","0.7.1","0.8","0.8.2","0.8.3","1.0","1.2","1.4rc1","1.4rc2","10.0.0","10.0.1","18.0","18.1","19.0","19.0.2","19.1.1","6.0","9.0.0","9.0.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.2"}]},{"events":[{"introduced":"0"},{"last_affected":"1.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20916.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}