Improper Input Validation in pip

GHSA-g3p5-fjj9-h8gj · CVE-2013-1629 · PYSEC-2013-8

Published May 13, 2022 · Modified Oct 9, 2024

Description

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2013-1629
WEB https://github.com/pypa/pip/issues/425
WEB https://github.com/pypa/pip/pull/791/files
WEB https://bugzilla.redhat.com/show_bug.cgi?id=968059
ADVISORY https://github.com/advisories/GHSA-g3p5-fjj9-h8gj
WEB https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-8.yaml
PACKAGE https://github.com/pypa/pip
WEB http://www.pip-installer.org/en/latest/installing.html
WEB http://www.pip-installer.org/en/latest/news.html#changelog
WEB http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes