Описание
pyshop vulnerable to man-in-the-middle attacks due to using HTTP to retrieve packages from the PyPI repository
pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2013-1630
- https://github.com/mardiros/pyshop/commit/ffadb0bcdef1e385884571670210cfd6ba351784
- https://github.com/mardiros/pyshop/blob/master/CHANGES.txt
- https://github.com/pypa/advisory-database/tree/main/vulns/pyshop/PYSEC-2013-10.yaml
- http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a
Пакеты
Наименование
pyshop
pip
Затронутые версииВерсия исправления
< 0.7.1
0.7.1
Связанные уязвимости
nvd
больше 12 лет назад
pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.