CVE-2013-1629

NONE
Published Aug 6, 201312y ago · Modified Jun 16, 20262w ago
Find Similar
Published Aug 6, 2013 12y ago
Last Modified Jun 16, 2026 2w ago

Description

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 1

VendorProductVersionRange
pypapip* <1.3

References 6

  • pip-installer.org http://www.pip-installer.org/en/latest/installing.html
    Vendor Advisory
  • pip-installer.org http://www.pip-installer.org/en/latest/news.html#changelog
    Release NotesVendor Advisory
  • reddit.com http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
    ExploitThird Party Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=968059
    Issue TrackingThird Party Advisory
  • github.com https://github.com/pypa/pip/issues/425
    Third Party Advisory
  • github.com https://github.com/pypa/pip/pull/791/files
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/pypa/pip/pull/791/files
    PatchThird Party Advisory