CVE-2013-1629
NONE
Published Aug 6, 201312y ago · Modified Jun 16, 20262w ago
Published Aug 6, 2013 12y ago
Last Modified Jun 16, 2026 2w ago
Description
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| pypa | pip | * | <1.3 |
References 6
- pip-installer.org http://www.pip-installer.org/en/latest/installing.html
- pip-installer.org http://www.pip-installer.org/en/latest/news.html#changelog
- reddit.com http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=968059
- github.com https://github.com/pypa/pip/issues/425
- github.com https://github.com/pypa/pip/pull/791/files
Remediation
- github.com https://github.com/pypa/pip/pull/791/files