PT-2013-3288 · Pypi · Pyshop

Published

2013-08-06

Updated

2022-05-17

CVE-2013-1630

CVSS v4.0

8.2

High

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions pyshop versions prior to 0.7.1

Description The issue allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation, as it uses HTTP to retrieve packages from the PyPI repository and does not perform integrity checks on package contents.

Recommendations For versions prior to 0.7.1, update to version 0.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the PyPI repository or using a secure connection to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2013-1630

GHSA-F594-F3V3-G649

PYSEC-2013-10

Affected Products

Pyshop

PT-2013-3288 · Pypi · Pyshop

CVE-2013-1630

Weakness Enumeration

Related Identifiers

Affected Products

References · 8