Описание
pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.
Ссылки
Уязвимые конфигурации
Конфигурация 1Версия до 0.7 (включая)
Одно из
cpe:2.3:a:guillaume_gauvrit:pyshop:*:*:*:*:*:*:*:*
cpe:2.3:a:guillaume_gauvrit:pyshop:0.1:*:*:*:*:*:*:*
cpe:2.3:a:guillaume_gauvrit:pyshop:0.2:*:*:*:*:*:*:*
cpe:2.3:a:guillaume_gauvrit:pyshop:0.3:*:*:*:*:*:*:*
cpe:2.3:a:guillaume_gauvrit:pyshop:0.4:*:*:*:*:*:*:*
cpe:2.3:a:guillaume_gauvrit:pyshop:0.5:*:*:*:*:*:*:*
cpe:2.3:a:guillaume_gauvrit:pyshop:0.6:*:*:*:*:*:*:*
EPSS
Процентиль: 67%
0.00531
Низкий
6.8 Medium
CVSS2
Дефекты
CWE-20
Связанные уязвимости
github
больше 3 лет назад
pyshop vulnerable to man-in-the-middle attacks due to using HTTP to retrieve packages from the PyPI repository
EPSS
Процентиль: 67%
0.00531
Низкий
6.8 Medium
CVSS2
Дефекты
CWE-20