PT-2013-3287 · Python · Pip

Glyph

Published

2013-08-06

Updated

2022-05-13

CVE-2013-1629

CVSS v4.0

7.3

High

Vector

AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Name of the Vulnerable Software and Affected Versions pip versions prior to 1.3

Description The issue allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation, as pip retrieves packages from the PyPI repository using HTTP and does not perform integrity checks on package contents.

Recommendations For pip versions prior to 1.3, consider updating to version 1.3 or later to resolve the issue. As a temporary workaround, restrict the use of pip to trusted networks to minimize the risk of man-in-the-middle attacks.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2013-1629

GHSA-G3P5-FJJ9-H8GJ

PYSEC-2013-8

Affected Products

Pip

PT-2013-3287 · Python · Pip

CVE-2013-1629

Weakness Enumeration

Related Identifiers

Affected Products

References · 18