PT-2013-3287 · Python · Pip

Glyph

·

Publicado

2013-08-06

·

Atualizado

2022-05-13

·

CVE-2013-1629

CVSS v4.0

7.3

Alta

VetorAV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Name of the Vulnerable Software and Affected Versions pip versions prior to 1.3
Description The issue allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation, as pip retrieves packages from the PyPI repository using HTTP and does not perform integrity checks on package contents.
Recommendations For pip versions prior to 1.3, consider updating to version 1.3 or later to resolve the issue. As a temporary workaround, restrict the use of pip to trusted networks to minimize the risk of man-in-the-middle attacks.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2013-1629
GHSA-G3P5-FJJ9-H8GJ
PYSEC-2013-8

Produtos afetados

Pip