HTTP Package Retrieval Vulnerability in Setuptools by Python Software Foundation
CVE-2013-1633

Currently unrated

Key Information:

Vendor: Python
Status: Setuptools
Vendor: CVE Published:; 6 August 2013

What is CVE-2013-1633?

Setuptools, a package development and distribution library for Python, has a vulnerability that allows man-in-the-middle attackers to execute arbitrary code. This occurs because easy_install in versions prior to 0.7 retrieves packages via HTTP and does not verify the integrity of the package contents. Attackers could potentially exploit this by intercepting the HTTP response to inject malicious code during the package retrieval process. It is crucial for developers to update to safer versions and utilize secure methods to manage packages.

References

https://pypi.python.org/pypi/setuptools/0.9.8#changes

x_refsource_CONFIRM

http://www.reddit.com/r/Python/comments/17rfh7/warning_do...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Aug 6, 2013