CVE-2013-1633
HIGH8.3EPSS 0.77%Setuptools vulnerable to Man-in-the-middle attacks
發布日:2022/5/17修改日:2024/10/22
描述
easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
受影響套件(2)
- PyPI/setuptoolsfrom 0, < 0.7
- PyPI/setuptoolsfrom 0, < 0.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-1633
- PATCHhttps://github.com/pypa/setuptools
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2013-22.yaml
- WEBhttps://pypi.python.org/pypi/setuptools/0.9.8#changes
- WEBhttp://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a
- WEBhttp://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/