Lucene search

GoogleOSV:GHSA-C5H8-CQ4V-CVFM

HistoryMay 24, 2022 - 10:01 p.m.

Improper Authentication in pip

2022-05-2422:01:03

Google

osv.dev

python pip

mirroring support

dns querying

man-in-the-middle attacks

authentication

security

EPSS

0.002

Percentile

52.9%

JSON

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

References

lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html

lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html

www.openwall.com/lists/oss-security/2013/08/21/17

www.openwall.com/lists/oss-security/2013/08/21/18

www.securityfocus.com/bid/77520

bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123

bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123

github.com/advisories/GHSA-c5h8-cq4v-cvfm

github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2019-160.yaml

nvd.nist.gov/vuln/detail/CVE-2013-5123

security-tracker.debian.org/tracker/CVE-2013-5123

EPSS

0.002

Percentile

52.9%

JSON

Related for OSV:GHSA-C5H8-CQ4V-CVFM