CVE-2013-1888Link Following in PIP

CWE-59Link Following7 documents6 sources
Severity
2.1LOWNVD
EPSS
0.1%
top 75.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pypa PIPFedoraproject Fedora
Timeline
PublishedAug 17
Latest updateMay 13

Description

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.

CVSS vector

AV:L/AC:L/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages2 packages

NVDpypa/pip< 1.3
PyPIpypa/pip< 1.3

Also affects: Fedora 17, 18, 19

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Improper Link Resolution Before File Access in pip2022-05-13
GHSA
Improper Link Resolution Before File Access in pip2022-05-13
OSV
CVE-2013-1888: pip before 12013-08-17
CVEList
CVE-2013-1888: pip before 12013-08-16

📋Vendor Advisories

1
Debian
CVE-2013-1888: python-pip - pip before 1.3 allows local users to overwrite arbitrary files via a symlink att...2013

💬Community

1
Bugzilla
CVE-2013-1888 python-pip: insecure temporary directory usage2013-03-20
CVE-2013-1888 — Link Following in Pypa PIP | cvebase