SB2026030339 - openEuler 22.03 LTS SP4 update for python-pip

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026030339

SB2026030339 - openEuler 22.03 LTS SP4 update for python-pip

Published: March 3, 2026

Security Bulletin ID SB2026030339
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2026-1703)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when installing and extracting wheel archives. A remote attacker can trick the victim into installing a malicious wheel archive and overwrite arbitrary files on the system. 


2) Information disclosure (CVE-ID: CVE-2023-45803)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to urllib3 does not remove the HTTP request body when redirecting HTTP response using status codes 301, 302, or 303, after the request had its method changed from one that could accept a request body (e.g. from POST to GET). A remote attacker can gain access to potentially sensitive information.


3) Information disclosure (CVE-ID: CVE-2024-37891)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Prox-Authorization header is not stripped during cross-origin redirects when using urllib3's proxy support with ProxyManager. A remote attacker can gain obtain proxy credentials used by the library.


4) Insufficiently protected credentials (CVE-ID: CVE-2024-47081)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the library leaks .netrc credentials to third parties for specific maliciously-crafted URLs. A remote attacker can gain access to sensitive information. 


5) Protection Mechanism Failure (CVE-ID: CVE-2025-50181)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of the Redirect object when handling redirects and retries. A remote attacker can force the library to follow redirects even if explicitly disabled with PoolManager.


6) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2025-8869)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to improper error handling. A remote attacker can trick the victim into opening a specially crafted data and modify data on the system.


Remediation

Install update from vendor's website.

References