CVE-2013-1629

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
pypapip
𝑥
< 1.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-pip
bullseye
20.3.4-4+deb11u1
fixed
wheezy
no-dsa
squeeze
no-dsa
bookworm
23.0.1+dfsg-1
fixed
sid
24.3.1+dfsg-1
fixed
trixie
24.3.1+dfsg-1
fixed
python-virtualenv
bullseye
20.4.0+ds-2+deb11u1
fixed
wheezy
no-dsa
squeeze
no-dsa
bookworm
20.17.1+ds-1
fixed
sid
20.27.0+ds-1
fixed
trixie
20.27.0+ds-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pip
bionic
not-affected
artful
not-affected
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
vivid
ignored
utopic
ignored
trusty
not-affected
saucy
ignored
raring
ignored
quantal
ignored
precise
ignored
lucid
ignored
python-virtualenv
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
not-affected
vivid
not-affected
utopic
not-affected
trusty
not-affected
saucy
not-affected
raring
ignored
quantal
ignored
precise
ignored
lucid
ignored
Common Weakness Enumeration
References
http://www.pip-installer.org/en/latest/installing.html
http://www.pip-installer.org/en/latest/news.html#changelog
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
https://bugzilla.redhat.com/show_bug.cgi?id=968059
https://github.com/pypa/pip/issues/425
https://github.com/pypa/pip/pull/791/files
http://www.pip-installer.org/en/latest/installing.html
http://www.pip-installer.org/en/latest/news.html#changelog
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
https://bugzilla.redhat.com/show_bug.cgi?id=968059
https://github.com/pypa/pip/issues/425
https://github.com/pypa/pip/pull/791/files