CVE-2013-5123
published 2019-11-05CVE-2013-5123: The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform…
PriorityP344medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EXPLOIT
EPSS
7.99%
94.0th percentile
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-pip | < python-pip 1.4.1-1 (bookworm) | python-pip 1.4.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pypa | pip | < 1.5 | 1.5 |
| pypa | pip | >= 0 < 1.5 | 1.5 |
| redhat | openshift | — | — |
| redhat | openshift | — | — |
| virtualenv | virtualenv | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.9MEDIUM
vendor_debian5.9LOW
vendor_redhat5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Authentication in pip
ghsa·2022-05-24
CVE-2013-5123 [HIGH] CWE-287 Improper Authentication in pip
Improper Authentication in pip
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
OSV
Improper Authentication in pip
osv·2022-05-24
CVE-2013-5123 [HIGH] Improper Authentication in pip
Improper Authentication in pip
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
OSV
CVE-2013-5123: The mirroring support (-M, --use-mirrors) in Python Pip before 1
osv·2019-11-05·CVSS 5.9
CVE-2013-5123 [MEDIUM] CVE-2013-5123: The mirroring support (-M, --use-mirrors) in Python Pip before 1
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
Red Hat
python-pip: insecure software download with mirroring support
vendor_redhat·2013-07-31·CVSS 5.9
CVE-2013-5123 [MEDIUM] python-pip: insecure software download with mirroring support
python-pip: insecure software download with mirroring support
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
Package: python-virtualenv (OpenShift Enterprise 1) - Will not fix
Package: python27-python-pip (Red Hat OpenShift Enterprise 2) - Will not fix
Package: python-virtualenv (Red Hat OpenShift Enterprise 2) - Will not fix
Package: python27-python-virtualenv (Red Hat Software Collections) - Affected
Package: python33-python-virtualenv (Red Hat Software Collections) - Affected
Debian
CVE-2013-5123: python-pip - The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure...
vendor_debian·2013·CVSS 5.9
CVE-2013-5123 [MEDIUM] CVE-2013-5123: python-pip - The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure...
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
Scope: local
bookworm: resolved (fixed in 1.4.1-1)
bullseye: resolved (fixed in 1.4.1-1)
forky: resolved (fixed in 1.4.1-1)
sid: resolved (fixed in 1.4.1-1)
trixie: resolved (fixed in 1.4.1-1)
No detection rules found.
Bugzilla
CVE-2013-5123 python-pip: insecure software download with mirroring support [fedora-all]
bugzilla·2014-11-04·CVSS 5.9
CVE-2013-5123 [MEDIUM] CVE-2013-5123 python-pip: insecure software download with mirroring support [fedora-all]
CVE-2013-5123 python-pip: insecure software download with mirroring support [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2013-5123 python-pip: insecure software download with mirroring support [epel-all]
bugzilla·2014-11-04·CVSS 5.9
CVE-2013-5123 [MEDIUM] CVE-2013-5123 python-pip: insecure software download with mirroring support [epel-all]
CVE-2013-5123 python-pip: insecure software download with mirroring support [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [fedora-all]
bugzilla·2014-11-04·CVSS 5.9
CVE-2013-5123 [MEDIUM] CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [fedora-all]
CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [epel-all]
bugzilla·2014-11-04·CVSS 5.9
CVE-2013-5123 [MEDIUM] CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [epel-all]
CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2013-5123 python-pip: insecure software download with mirroring support
bugzilla·2014-02-18·CVSS 5.9
CVE-2013-5123 [MEDIUM] CVE-2013-5123 python-pip: insecure software download with mirroring support
CVE-2013-5123 python-pip: insecure software download with mirroring support
The mirroring support (-M, --use-mirrors) was implemented without
any sort of authenticity checks and is downloaded over plaintext
HTTP. Further more by default it will dynamically discover the list of
available mirrors by querying a DNS entry and extrapolating from that
data. It does not attempt to use any sort of method of securing this
querying of the DNS like DNSSEC. Software packages are downloaded over
these insecure links, unpacked, and then typically the setup.py python
file inside of them is executed.
It's a pretty long thread originating here:
http://www.openwall.com/lists/oss-security/2013/08/21/18
Discussion:
Created python-pip tracking bugs for this issue:
Affects: fedora-all [bug 1160134]
---
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.htmlhttp://www.openwall.com/lists/oss-security/2013/08/21/17http://www.openwall.com/lists/oss-security/2013/08/21/18http://www.securityfocus.com/bid/77520https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123https://security-tracker.debian.org/tracker/CVE-2013-5123http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.htmlhttp://www.openwall.com/lists/oss-security/2013/08/21/17http://www.openwall.com/lists/oss-security/2013/08/21/18http://www.securityfocus.com/bid/77520https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123https://security-tracker.debian.org/tracker/CVE-2013-5123
2019-11-05
Published