PYSEC-2013-8
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2013-8.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2013-8
- Aliases
- Published
- 2013-08-06T02:52:00Z
- Modified
- 2023-11-08T03:57:14.405621Z
- Summary
- [none]
- Details
-
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.
- References
-
- https://github.com/pypa/pip/issues/425
- https://github.com/pypa/pip/pull/791/files
- http://www.pip-installer.org/en/latest/installing.html
- http://www.pip-installer.org/en/latest/news.html#changelog
- http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
- https://bugzilla.redhat.com/show_bug.cgi?id=968059
- https://github.com/advisories/GHSA-g3p5-fjj9-h8gj
Affected packages
PyPI / pip
Package
- Name
- pip
- View open source insights on deps.dev
- Purl
- pkg:pypi/pip
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.3