Candidate: CVE-2021-3572
PublicDate: 2021-11-10 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
 https://github.com/pypa/pip/pull/9827
 https://github.com/pypa/pip/issues/10042
 https://github.com/pypa/pip/issues/10042#issuecomment-857452480
 https://github.com/skazi0/CVE-2021-3572/blob/master/CVE-2021-3572-v9.0.1.patch
Description:
 A flaw was found in python-pip in the way it handled Unicode separators in
 git references. A remote attacker could possibly use this issue to install
 a different revision on a repository. The highest threat from this
 vulnerability is to data integrity. This is fixed in python-pip version
 21.1.
Ubuntu-Description:
Notes:
 sbeattie> pip < 10, i.e. pip in bionic and older, parses git
   references differently, requiring a more significant backport
Mitigation:
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1926957
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N [5.7 MEDIUM]


Patches_python-pip:
 upstream: https://github.com/pypa/pip/commit/ca832b2836e0bffa7cf95589acdcd71230f5834e (21.1)
upstream_python-pip: released (20.3.4-2)
trusty_python-pip: ignored (out of standard support)
trusty/esm_python-pip: needed
xenial_python-pip: ignored (out of standard support)
bionic_python-pip: needed
focal_python-pip: needed
groovy_python-pip: ignored (reached end-of-life)
hirsute_python-pip: ignored (reached end-of-life)
impish_python-pip: not-affected (20.3.4-4)
jammy_python-pip: not-affected (20.3.4-4)
devel_python-pip: not-affected (20.3.4-4)