Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nM3A1LWZqajktaDhnas3yZA
Improper Input Validation in pip
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.
Permalink: https://github.com/advisories/GHSA-g3p5-fjj9-h8gjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nM3A1LWZqajktaDhnas3yZA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-g3p5-fjj9-h8gj, CVE-2013-1629
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-1629
- https://github.com/pypa/pip/issues/425
- https://github.com/pypa/pip/pull/791/files
- https://bugzilla.redhat.com/show_bug.cgi?id=968059
- http://www.pip-installer.org/en/latest/installing.html
- http://www.pip-installer.org/en/latest/news.html#changelog
- http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
- https://github.com/advisories/GHSA-g3p5-fjj9-h8gj
- https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-8.yaml
Blast Radius: 0.0
Affected Packages
pypi:pip
Dependent packages: 902Dependent repositories: 35,613
Downloads: 352,870,441 last month
Affected Version Ranges: < 1.3
Fixed in: 1.3
All affected versions: 0.2.1, 0.3.1, 0.5.1, 0.6.1, 0.6.2, 0.6.3, 0.7.1, 0.7.2, 0.8.1, 0.8.2, 0.8.3, 1.0.1, 1.0.2, 1.2.1
All unaffected versions: 1.3.1, 1.4.1, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.1.1, 8.1.2, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 19.0.1, 19.0.2, 19.0.3, 19.1.1, 19.2.1, 19.2.2, 19.2.3, 19.3.1, 20.0.1, 20.0.2, 20.1.1, 20.2.1, 20.2.2, 20.2.3, 20.2.4, 20.3.1, 20.3.2, 20.3.3, 20.3.4, 21.0.1, 21.1.1, 21.1.2, 21.1.3, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 21.3.1, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.1.1, 22.1.2, 22.2.1, 22.2.2, 22.3.1, 23.0.1, 23.1.1, 23.1.2, 23.2.1, 23.3.1, 23.3.2