fkie_nvd - fkie_cve-2013-1633

fkie_cve-2013-1633

Vulnerability from fkie_nvd

Published

2013-08-06 02:52

Modified

2025-04-11 00:51

Severity ?

Summary

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.

References

URL	Tags
cve@mitre.org	http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
cve@mitre.org	https://pypi.python.org/pypi/setuptools/0.9.8#changes	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
af854a3a-2127-422b-91ae-364da2661108	https://pypi.python.org/pypi/setuptools/0.9.8#changes	Vendor Advisory

Impacted products

Vendor	Product	Version
python	setuptools	*
python	setuptools	0.6.40
python	setuptools	0.6.41
python	setuptools	0.6.42
python	setuptools	0.6.43
python	setuptools	0.6.44
python	setuptools	0.6.45
python	setuptools	0.6.46
python	setuptools	0.6.47
python	setuptools	0.6.48
python	setuptools	0.6.49

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "98A58C30-8685-466E-8B39-9041F8610F0B",
              "versionEndIncluding": "0.7b4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2F5E989-AA4A-45DB-AD38-8B6F3E6623CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.41:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AAAA31F-ADB7-4EB6-A224-B9E2D9AD2580",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.42:*:*:*:*:*:*:*",
              "matchCriteriaId": "B08D7F14-EB7C-485C-BD6A-1BAE031A6CFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.43:*:*:*:*:*:*:*",
              "matchCriteriaId": "43239CDF-E50A-4B9C-900F-B87BC5887A9F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.44:*:*:*:*:*:*:*",
              "matchCriteriaId": "F41C30F2-9179-4900-BF9B-A0608234396A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.45:*:*:*:*:*:*:*",
              "matchCriteriaId": "B25FAC3B-A576-4B65-8B3E-4E9027C39CE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.46:*:*:*:*:*:*:*",
              "matchCriteriaId": "593B1342-E84E-446D-B35E-22E66BC300E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.47:*:*:*:*:*:*:*",
              "matchCriteriaId": "307E98F8-BD9E-4229-AB24-D844391B8E70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.48:*:*:*:*:*:*:*",
              "matchCriteriaId": "932A450D-0A73-4593-954E-5584066B17D7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:setuptools:0.6.49:*:*:*:*:*:*:*",
              "matchCriteriaId": "3666BF98-9FC4-42CC-A1C3-437CDF3E4DE5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product."
    },
    {
      "lang": "es",
      "value": "easy_install en setuptools anterior a v0.7 utiliza HTTP para recuperar paquetes del repositorio PyPI, y no realiza comprobaciones de integridad en el contenido del paquete, que permite a atacantes man-in-the-middle ejecutar c\u00f3digo arbitrario a trav\u00e9s de una respuesta dise\u00f1ada para el uso por defecto del producto."
    }
  ],
  "id": "CVE-2013-1633",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2013-08-06T02:52:10.333",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pypi.python.org/pypi/setuptools/0.9.8#changes"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pypi.python.org/pypi/setuptools/0.9.8#changes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2013-1633 (GCVE-0-2013-1633)

Vulnerability from cvelistv5

Published

2013-08-06 01:00