Security Flaw CVE-2024-6345 in Setuptools Exposes Python Projects to RCE

A severe security vulnerability has been identified in Setuptools, a widely-used library for packaging, distributing, and installing Python projects. This flaw, designated CVE-2024-6345 with a CVSS score of 8.8, exposes systems to remote code execution (RCE) due to vulnerabilities in the package_index module.

Setuptools’ package_index module, which streamlines interaction with package index servers like PyPi, is vulnerable to code injection attacks via its download functions. These functions, crucial for retrieving and installing packages from specified URLs, are susceptible to exploitation when URLs are provided by users or automatically extracted from HTML pages of package index servers.

The implications of this vulnerability are extensive, affecting any system using the compromised version of Setuptools to build Python projects. The primary risks include:

1. Targeting of Systems Using Affected Package Indexes: Any system that relies on the vulnerable package_index module for project building can be targeted by attackers.
2. Command Shell Access: Exploiting this flaw can grant attackers command shell access, enabling them to execute arbitrary commands on the compromised system.
3. Full System Compromise: The most severe risk involves complete system takeover, allowing attackers to manipulate or steal sensitive data, install malicious software, and disrupt normal operations.

Security researcher CybrX, who reported the CVE-2024-6345 vulnerability, has published a detailed technical analysis and proof-of-concept exploit code, highlighting the severity of the issue.

Due to the ubiquitous nature of Setuptools in the Python ecosystem, countless projects and systems could be at risk. Any system that uses Setuptools’ package index system to build Python projects is potentially vulnerable, and the consequences of successful exploitation could be devastating. Attackers could gain command shell access, exfiltrate sensitive data, install malware, or even take complete control of the affected system.

All users and organizations utilizing Setuptools are strongly advised to upgrade to version 70.0 immediately. This updated version includes a fix that addresses the vulnerability and prevents the code injection attack.