There are 2 open security issues in buster.
2 issues left for the package maintainer to handle:
- CVE-2021-3572:
(needs triaging)
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
- CVE-2019-20916:
(needs triaging)
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
You can find information about how to handle these issues in the security team's documentation.