Lucene search
GoogleOSV:GHSA-G3P5-FJJ9-H8GJHistoryMay 13, 2022 - 1:11 a.m.
Improper Input Validation in pip
2022-05-1301:11:25
Google
osv.dev
6
input validation
pip
remote attackers
arbitrary code
EPSS
0.004
Percentile
73.0%
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a “pip install” operation.
References
www.pip-installer.org/en/latest/installing.html
www.pip-installer.org/en/latest/news.html#changelog
www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a
bugzilla.redhat.com/show_bug.cgi?id=968059
github.com/advisories/GHSA-g3p5-fjj9-h8gj
github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-8.yaml
github.com/pypa/pip/issues/425
github.com/pypa/pip/pull/791/files
nvd.nist.gov/vuln/detail/CVE-2013-1629
Related
ubuntucve
ubuntucve
CVE-2013-1629
2013-08-06 00:00:00
prion
prion
Design/Logic Flaw
2013-08-06 02:52:00
debiancve
debiancve
CVE-2013-1629
2013-08-06 02:52:10
nvd
nvd
CVE-2013-1629
2013-08-06 02:52:10
cvelist
cvelist
CVE-2013-1629
2013-08-06 01:00:00
osv
osv
PYSEC-2013-8
2013-08-06 02:52:00
github
github
Improper Input Validation in pip
2022-05-13 01:11:25
cve
cve
CVE-2013-1629
2013-08-06 02:52:10
gentoo
gentoo
pip: Multiple vulnerabilities
2013-09-12 00:00:00
nessus
nessus
GLSA-201309-05 : pip: Multiple vulnerabilities
2013-09-13 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 201309-05
2015-09-29 00:00:00