PYSEC-2013-22

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/setuptools/PYSEC-2013-22.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2013-22

Aliases

CVE-2013-1633
GHSA-27x4-j476-jp5f

Published

2013-08-06T02:52:00Z

Modified

2023-11-01T04:44:59.450633Z

Summary

[none]

Details

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.

References

http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
https://pypi.python.org/pypi/setuptools/0.9.8#changes

Affected packages

PyPI / setuptools

Package

Name: setuptools; View open source insights on deps.dev
Purl: pkg:pypi/setuptools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7

Affected versions

0.*

0.6b1

0.6b2

0.6b3

0.6b4

0.6c1

0.6c2

0.6c3

0.6c4

0.6c5

0.6c6

0.6c7

0.6c8

0.6c9

0.6c10

0.6c11