{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-pip security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-pip is now available for openEuler-20.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"%changelog * Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 23.3.1-2 - Fix CVE-2023-45803 and CVE-2024-37891\n\nSecurity Fix(es):\n\nA flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to write generated script wrappers outside the intended installation directory, leading to arbitrary file overwrite. This can severely impact system integrity and availability, and in certain scenarios, may lead to arbitrary code execution.(CVE-2026-8643)", "category":"general", "title":"Description" }, { "text":"An update for python-pip is now available for openEuler-20.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"python-pip", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-2630", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2630" }, { "summary":"CVE-2026-8643", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-8643&packageName=python-pip" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8643" }, { "summary":"openEuler-SA-2026-2630 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2630.json" } ], "title":"An update for python-pip is now available for openEuler-20.03-LTS-SP4", "tracking":{ "initial_release_date":"2026-06-18T16:17:27+08:00", "revision_history":[ { "date":"2026-06-18T16:17:27+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-06-18T16:17:27+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-06-18T16:17:27+08:00", "id":"openEuler-SA-2026-2630", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python-pip-help-20.2.2-20.oe2003sp4.noarch.rpm", "name":"python-pip-help-20.2.2-20.oe2003sp4.noarch.rpm" }, "name":"python-pip-help-20.2.2-20.oe2003sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python-pip-wheel-20.2.2-20.oe2003sp4.noarch.rpm", "name":"python-pip-wheel-20.2.2-20.oe2003sp4.noarch.rpm" }, "name":"python-pip-wheel-20.2.2-20.oe2003sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python2-pip-20.2.2-20.oe2003sp4.noarch.rpm", "name":"python2-pip-20.2.2-20.oe2003sp4.noarch.rpm" }, "name":"python2-pip-20.2.2-20.oe2003sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python3-pip-20.2.2-20.oe2003sp4.noarch.rpm", "name":"python3-pip-20.2.2-20.oe2003sp4.noarch.rpm" }, "name":"python3-pip-20.2.2-20.oe2003sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python-pip-20.2.2-20.oe2003sp4.src.rpm", "name":"python-pip-20.2.2-20.oe2003sp4.src.rpm" }, "name":"python-pip-20.2.2-20.oe2003sp4.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python-pip-help-20.2.2-20.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python-pip-help-20.2.2-20.oe2003sp4.noarch", "name":"python-pip-help-20.2.2-20.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python-pip-wheel-20.2.2-20.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python-pip-wheel-20.2.2-20.oe2003sp4.noarch", "name":"python-pip-wheel-20.2.2-20.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python2-pip-20.2.2-20.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python2-pip-20.2.2-20.oe2003sp4.noarch", "name":"python2-pip-20.2.2-20.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python3-pip-20.2.2-20.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python3-pip-20.2.2-20.oe2003sp4.noarch", "name":"python3-pip-20.2.2-20.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python-pip-20.2.2-20.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python-pip-20.2.2-20.oe2003sp4.src", "name":"python-pip-20.2.2-20.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-8643", "notes":[ { "text":"A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to write generated script wrappers outside the intended installation directory, leading to arbitrary file overwrite. This can severely impact system integrity and availability, and in certain scenarios, may lead to arbitrary code execution.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:python-pip-help-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-pip-wheel-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python2-pip-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-pip-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-pip-20.2.2-20.oe2003sp4.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP4:python-pip-help-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-pip-wheel-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python2-pip-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-pip-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-pip-20.2.2-20.oe2003sp4.src" ], "details":"python-pip security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2630" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":4.1, "vectorString":"CVSS:3.1/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP4:python-pip-help-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-pip-wheel-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python2-pip-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-pip-20.2.2-20.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-pip-20.2.2-20.oe2003sp4.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-8643" } ] }