6.8

CVE-2013-1629

Exploit
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PypaPip Version < 1.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.22% 0.926
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.pip-installer.org/en/latest/installing.html
Vendor Advisory
http://www.pip-installer.org/en/latest/news.html#changelog
Vendor Advisory
Release Notes
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
Third Party Advisory
Exploit
https://bugzilla.redhat.com/show_bug.cgi?id=968059
Third Party Advisory
Issue Tracking
https://github.com/pypa/pip/issues/425
Third Party Advisory
https://github.com/pypa/pip/pull/791/files
Patch
Third Party Advisory