How severe is CVE-2022-21668?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.6 out of 10.

What type of vulnerability is CVE-2022-21668?

This is classified as CWE-20, which is a common weakness in software security.

CVE-2022-21668

HIGH Year: 2022

CVSS v3 Score

8.6

High

CVSS v2 Score

9.3

Critical

Weakness Type

CWE-20

View all →

Vulnerability Description

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.

CVE-2014-0144

HIGH

CVSS:8.6(High)

QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input val...

CWE-202014

CVE-2015-8702

HIGH

CVSS:8.6(High)

The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 allows remote DNS servers to cause a denial of service (netsplit) via an invalid character in a PTR response, as demonstrated by a "\03...

CWE-202015

CVE-2016-4332

HIGH

CVSS:8.6(High)

The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't sup...

CWE-202016

CVE-2016-5782

HIGH

CVSS:8.6(High)

An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50, LGate 100, LGate 101, LGate 120, and LGate 320. Locus Energy meters use a PHP script to manage the energy meter parameters for v...

CWE-202016

CVE-2016-9692

HIGH

CVSS:8.6(High)

IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vuln...

CWE-202016

CVE-2017-12244

HIGH

CVSS:8.6(High)

A vulnerability in the detection engine parsing of IPv6 packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause high CPU utilization or to cause a denial o...

CWE-202017

CVE-2022-21668

Vulnerability Description

Related Vulnerabilities

CVE-2014-0144

CVE-2015-8702

CVE-2016-4332

CVE-2016-5782

CVE-2016-9692

CVE-2017-12244