CVE-2013-1633

EUVD-2013-0040
easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
pythonsetuptools
𝑥
≤ 0.7b4
pythonsetuptools
0.6.40
pythonsetuptools
0.6.41
pythonsetuptools
0.6.42
pythonsetuptools
0.6.43
pythonsetuptools
0.6.44
pythonsetuptools
0.6.45
pythonsetuptools
0.6.46
pythonsetuptools
0.6.47
pythonsetuptools
0.6.48
pythonsetuptools
0.6.49
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
distribute
artful
dne
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
lucid
ignored
precise
ignored
quantal
ignored
raring
ignored
saucy
ignored
trusty
dne
utopic
dne
vivid
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
https://pypi.python.org/pypi/setuptools/0.9.8#changes
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
https://pypi.python.org/pypi/setuptools/0.9.8#changes