PyPI: setuptools
CVE-2013-1633
Safety vulnerability ID: SFTY-20130806-81952
Safety legacy ID: pyup.io-25809
Setuptools version 0.7 includes a fix for CVE-2013-1633: Easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
Overview
Setuptools vulnerable to Man-in-the-middle attacks
Advisory
Setuptools version 0.7 includes a fix for CVE-2013-1633: Easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20130806-81952/CVE-2013-1633
- http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1633
- https://pypi.python.org/pypi/setuptools/0.9.8#changes
- https://nvd.nist.gov/vuln/detail/CVE-2013-1633
- https://pypi.python.org/pypi/setuptools/0.9.8#changes
- https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2013-22.yaml
- http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a
- https://github.com/advisories/GHSA-27x4-j476-jp5f
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more