Insecure DNS Querying in Python Pip Leading to Man-in-the-Middle Attacks
CVE-2013-5123

5.9MEDIUM

Key Information:

Vendor

Pypa

Vendor
CVE Published:
5 November 2019

What is CVE-2013-5123?

The mirroring support in Python Pip prior to version 1.5 suffers from insecure DNS querying and lacks proper authenticity checks. This vulnerability enables attackers to execute man-in-the-middle attacks, potentially compromising user data and the integrity of package installations. Users are advised to update to the latest version of Pip to mitigate this risk.

References

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.