{"id":"UBUNTU-CVE-2024-6345","details":"A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.","modified":"2026-02-04T04:05:09.025042Z","published":"2024-07-15T01:15:00Z","related":["USN-7002-1"],"upstream":["CVE-2024-6345"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-6345"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-6345"},{"type":"REPORT","url":"https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5"},{"type":"REPORT","url":"https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7002-1"}],"affected":[{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/python-pip@1.5.4-1ubuntu4+esm5?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.4-1ubuntu4+esm5"}]}],"versions":["1.4.1-2","1.5.4-1","1.5.4-1ubuntu1","1.5.4-1ubuntu3","1.5.4-1ubuntu4","1.5.4-1ubuntu4+esm1","1.5.4-1ubuntu4+esm2","1.5.4-1ubuntu4+esm3","1.5.4-1ubuntu4+esm4"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5.4-1ubuntu4+esm5","binary_name":"python-pip"},{"binary_version":"1.5.4-1ubuntu4+esm5","binary_name":"python-pip-whl"},{"binary_version":"1.5.4-1ubuntu4+esm5","binary_name":"python3-pip"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-setuptools","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/python-setuptools@3.3-1ubuntu2+esm2?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3-1ubuntu2+esm2"}]}],"versions":["1.4.2-1","2.0.1-1ubuntu1","2.0.1-2ubuntu1","2.0.2-1","2.1-1","2.2-1","3.3-1ubuntu1","3.3-1ubuntu2","3.3-1ubuntu2+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.3-1ubuntu2+esm2","binary_name":"python-pkg-resources"},{"binary_version":"3.3-1ubuntu2+esm2","binary_name":"python-setuptools"},{"binary_version":"3.3-1ubuntu2+esm2","binary_name":"python-setuptools-whl"},{"binary_version":"3.3-1ubuntu2+esm2","binary_name":"python3-pkg-resources"},{"binary_version":"3.3-1ubuntu2+esm2","binary_name":"python3-setuptools"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-setuptools","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python-setuptools@20.7.0-1ubuntu0.1~esm2?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.7.0-1ubuntu0.1~esm2"}]}],"versions":["18.4-1","18.4-2","18.7-1","18.8-1","20.1.1-1","20.3.1-1","20.7.0-1","20.7.0-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"20.7.0-1ubuntu0.1~esm2","binary_name":"pypy-pkg-resources"},{"binary_version":"20.7.0-1ubuntu0.1~esm2","binary_name":"pypy-setuptools"},{"binary_version":"20.7.0-1ubuntu0.1~esm2","binary_name":"python-pkg-resources"},{"binary_version":"20.7.0-1ubuntu0.1~esm2","binary_name":"python-setuptools"},{"binary_version":"20.7.0-1ubuntu0.1~esm2","binary_name":"python3-pkg-resources"},{"binary_version":"20.7.0-1ubuntu0.1~esm2","binary_name":"python3-setuptools"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python-pip@8.1.1-2ubuntu0.6+esm8?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.1.1-2ubuntu0.6+esm8"}]}],"versions":["1.5.6-7ubuntu1","1.5.6-7ubuntu2","8.0.2-7","8.0.3-1","8.0.3-2","8.1.0-1","8.1.0-2","8.1.1-1","8.1.1-2","8.1.1-2ubuntu0.1","8.1.1-2ubuntu0.2","8.1.1-2ubuntu0.4","8.1.1-2ubuntu0.6","8.1.1-2ubuntu0.6+esm2","8.1.1-2ubuntu0.6+esm3","8.1.1-2ubuntu0.6+esm4","8.1.1-2ubuntu0.6+esm5","8.1.1-2ubuntu0.6+esm6"],"ecosystem_specific":{"binaries":[{"binary_version":"8.1.1-2ubuntu0.6+esm8","binary_name":"python-pip"},{"binary_version":"8.1.1-2ubuntu0.6+esm8","binary_name":"python-pip-whl"},{"binary_version":"8.1.1-2ubuntu0.6+esm8","binary_name":"python3-pip"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-setuptools","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-setuptools@39.0.1-2ubuntu0.1+esm1?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"39.0.1-2ubuntu0.1+esm1"}]}],"versions":["36.2.7-2","38.4.0-1","38.5.2-1","39.0.1-1","39.0.1-2","39.0.1-2ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"39.0.1-2ubuntu0.1+esm1","binary_name":"pypy-pkg-resources"},{"binary_version":"39.0.1-2ubuntu0.1+esm1","binary_name":"pypy-setuptools"},{"binary_version":"39.0.1-2ubuntu0.1+esm1","binary_name":"python-pkg-resources"},{"binary_version":"39.0.1-2ubuntu0.1+esm1","binary_name":"python-setuptools"},{"binary_version":"39.0.1-2ubuntu0.1+esm1","binary_name":"python3-pkg-resources"},{"binary_version":"39.0.1-2ubuntu0.1+esm1","binary_name":"python3-setuptools"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-pip@9.0.1-2.3~ubuntu1.18.04.8+esm4?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.1-2.3~ubuntu1.18.04.8+esm4"}]}],"versions":["9.0.1-2","9.0.1-2.3~ubuntu1","9.0.1-2.3~ubuntu1.18.04.1","9.0.1-2.3~ubuntu1.18.04.2","9.0.1-2.3~ubuntu1.18.04.3","9.0.1-2.3~ubuntu1.18.04.4","9.0.1-2.3~ubuntu1.18.04.5","9.0.1-2.3~ubuntu1.18.04.5+esm2","9.0.1-2.3~ubuntu1.18.04.5+esm3","9.0.1-2.3~ubuntu1.18.04.6","9.0.1-2.3~ubuntu1.18.04.6+esm1","9.0.1-2.3~ubuntu1.18.04.7","9.0.1-2.3~ubuntu1.18.04.7+esm1","9.0.1-2.3~ubuntu1.18.04.8","9.0.1-2.3~ubuntu1.18.04.8+esm1","9.0.1-2.3~ubuntu1.18.04.8+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm4","binary_name":"python-pip"},{"binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm4","binary_name":"python-pip-whl"},{"binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm4","binary_name":"python3-pip"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"setuptools","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/setuptools@45.2.0-1ubuntu0.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"45.2.0-1ubuntu0.2"}]}],"versions":["45.2.0-1","45.2.0-1ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"45.2.0-1ubuntu0.2","binary_name":"python3-pkg-resources"},{"binary_version":"45.2.0-1ubuntu0.2","binary_name":"python3-setuptools"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-pip@20.0.2-5ubuntu1.10+esm2?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.0.2-5ubuntu1.10+esm2"}]}],"versions":["18.1-5","18.1-5build1","18.1-5ubuntu1","20.0.2-2","20.0.2-4","20.0.2-5","20.0.2-5ubuntu1","20.0.2-5ubuntu1.1","20.0.2-5ubuntu1.3","20.0.2-5ubuntu1.4","20.0.2-5ubuntu1.5","20.0.2-5ubuntu1.6","20.0.2-5ubuntu1.7","20.0.2-5ubuntu1.8","20.0.2-5ubuntu1.9","20.0.2-5ubuntu1.10"],"ecosystem_specific":{"binaries":[{"binary_version":"20.0.2-5ubuntu1.10+esm2","binary_name":"python-pip-whl"},{"binary_version":"20.0.2-5ubuntu1.10+esm2","binary_name":"python3-pip"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-setuptools","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-setuptools@44.0.0-2ubuntu0.1+esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"44.0.0-2ubuntu0.1+esm1"}]}],"versions":["41.1.0-1","41.4.0-1","44.0.0-1","44.0.0-2","44.0.0-2ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"44.0.0-2ubuntu0.1+esm1","binary_name":"pypy-pkg-resources"},{"binary_version":"44.0.0-2ubuntu0.1+esm1","binary_name":"pypy-setuptools"},{"binary_version":"44.0.0-2ubuntu0.1+esm1","binary_name":"python-pkg-resources"},{"binary_version":"44.0.0-2ubuntu0.1+esm1","binary_name":"python-setuptools"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"setuptools","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/setuptools@59.6.0-1.2ubuntu0.22.04.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"59.6.0-1.2ubuntu0.22.04.2"}]}],"versions":["52.0.0-4","58.2.0-1","59.6.0-1.2","59.6.0-1.2ubuntu0.22.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"59.6.0-1.2ubuntu0.22.04.2","binary_name":"python3-pkg-resources"},{"binary_version":"59.6.0-1.2ubuntu0.22.04.2","binary_name":"python3-setuptools"},{"binary_version":"59.6.0-1.2ubuntu0.22.04.2","binary_name":"python3-setuptools-whl"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"python-setuptools","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/python-setuptools@44.1.1-1.2ubuntu0.22.04.1+esm1?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"44.1.1-1.2ubuntu0.22.04.1+esm1"}]}],"versions":["44.1.1-1","44.1.1-1.2","44.1.1-1.2ubuntu0.22.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"44.1.1-1.2ubuntu0.22.04.1+esm1","binary_name":"pypy-pkg-resources"},{"binary_version":"44.1.1-1.2ubuntu0.22.04.1+esm1","binary_name":"pypy-setuptools"},{"binary_version":"44.1.1-1.2ubuntu0.22.04.1+esm1","binary_name":"python-pkg-resources"},{"binary_version":"44.1.1-1.2ubuntu0.22.04.1+esm1","binary_name":"python-setuptools"},{"binary_version":"44.1.1-1.2ubuntu0.22.04.1+esm1","binary_name":"python2-setuptools-whl"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}},{"package":{"name":"setuptools","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/setuptools@68.1.2-2ubuntu1.1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"68.1.2-2ubuntu1.1"}]}],"versions":["68.1.2-2","68.1.2-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"68.1.2-2ubuntu1.1","binary_name":"python3-pkg-resources"},{"binary_version":"68.1.2-2ubuntu1.1","binary_name":"python3-setuptools"},{"binary_version":"68.1.2-2ubuntu1.1","binary_name":"python3-setuptools-whl"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6345.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}