CVE-2013-1630: pyshop vulnerable to man-in-the-middle attacks due to using HTTP to retrieve packages from the PyPI repository
(updated )
pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.
References
- github.com/advisories/GHSA-f594-f3v3-g649
- github.com/mardiros/pyshop
- github.com/mardiros/pyshop/blob/master/CHANGES.txt
- github.com/mardiros/pyshop/commit/ffadb0bcdef1e385884571670210cfd6ba351784
- github.com/pypa/advisory-database/tree/main/vulns/pyshop/PYSEC-2013-10.yaml
- nvd.nist.gov/vuln/detail/CVE-2013-1630
Code Behaviors & Features
Detect and mitigate CVE-2013-1630 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →