CVE-2013-1630 – pyshop

Package

Manager: pip
Name: pyshop
Vulnerable Version: >=0 <0.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00531 pctl0.66341

Details

pyshop vulnerable to man-in-the-middle attacks due to using HTTP to retrieve packages from the PyPI repository pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.

Metadata

Created: 2022-05-17T05:03:06Z
Modified: 2024-10-14T17:11:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f594-f3v3-g649/GHSA-f594-f3v3-g649.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-f594-f3v3-g649
Finding: F184
Auto approve: 1