CVE-2013-1633 — Improper Input Validation in Setuptools

CWE-20 — Improper Input Validation CWE-319 — Cleartext Transmission of Sensitive Info9 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.8%

top 26.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Setuptools

Timeline

PublishedAug 6

Latest updateMay 17

Description

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶PyPIpython/setuptools< 0.7

▶NVDpython/setuptools0.7b4+10

🔴Vulnerability Details

OSV

Setuptools vulnerable to Man-in-the-middle attacks↗2022-05-17

▶

GHSA

Setuptools vulnerable to Man-in-the-middle attacks↗2022-05-17

▶

OSV

CVE-2013-1633: easy_install in setuptools before 0↗2013-08-06

▶

📋Vendor Advisories

Red Hat

python-setuptools: easy_install insecure installation mechanism↗2013-06-02

▶

💬Community

Bugzilla

CVE-2013-1633 python-virtualenv: python-setuptools: easy_install insecure installation mechanism [epel-all]↗2013-08-08

▶

Bugzilla

CVE-2013-1633 python-virtualenv: python-setuptools: easy_install insecure installation mechanism [fedora-all]↗2013-08-08

▶

Bugzilla

CVE-2013-1633 python-setuptools: easy_install insecure installation mechanism [fedora-all]↗2013-08-08

▶

Bugzilla

CVE-2013-1633 python-setuptools: easy_install insecure installation mechanism↗2013-08-06

▶