CVE-2013-1633
HIGH8.3EPSS 0.77%Setuptools vulnerable to Man-in-the-middle attacks
Published: 5/17/2022Modified: 10/22/2024
Description
easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
Affected packages (2)
- PyPI/setuptoolsfrom 0, < 0.7
- PyPI/setuptoolsfrom 0, < 0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-1633
- PATCHhttps://github.com/pypa/setuptools
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2013-22.yaml
- WEBhttps://pypi.python.org/pypi/setuptools/0.9.8#changes
- WEBhttp://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a
- WEBhttp://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/