CVE-2013-1633
setuptools < 0.7 - Remote Code Execution via Untrusted HTTP Package Retrieval
Title source: llmDescription
easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
References (2)
Core 2
Core References
Various Sources x_refsource_misc
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
Vendor Advisory x_refsource_confirm
https://pypi.python.org/pypi/setuptools/0.9.8#changes
Scores
EPSS
0.0076
EPSS Percentile
73.7%
Details
CWE
CWE-20
Status
published
Products (12)
pypi/setuptools
0 - 0.7PyPI
python/setuptools
0.6.40
python/setuptools
0.6.41
python/setuptools
0.6.42
python/setuptools
0.6.43
python/setuptools
0.6.44
python/setuptools
0.6.45
python/setuptools
0.6.46
python/setuptools
0.6.47
python/setuptools
0.6.48
... and 2 more
Published
Aug 06, 2013
Tracked Since
Feb 18, 2026