Man-in-the-Middle Vulnerability in pip prior to 1.3
CVE-2013-1629

Currently unrated

Key Information:

Vendor

Pypa

Status
Pip
Vendor
CVE Published:
6 August 2013

What is CVE-2013-1629?

The vulnerability in pip prior to version 1.3 arises from its reliance on HTTP to retrieve packages from the PyPI repository without performing integrity checks on the package contents. This lack of security allows man-in-the-middle attackers to intercept and manipulate the package installation process, potentially leading to arbitrary code execution if a malicious response is received during a 'pip install' operation. Users operating in untrusted network environments are particularly at risk as attackers can exploit this flaw to compromise systems.

References

http://www.pip-installer.org/en/latest/installing.html
x_refsource_CONFIRM
https://github.com/pypa/pip/issues/425
x_refsource_CONFIRM
http://www.pip-installer.org/en/latest/news.html#changelog
x_refsource_CONFIRM

EPSS Score

39% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability Reserved

  • Vulnerability published

.