Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-5123Improper Authentication in PIP

CWE-287Improper Authentication13 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
12.4%
top 6.09%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
5
Pypa PIPDebian LinuxFedoraproject Fedora+2 more
Timeline
PublishedNov 5
Latest updateMay 24

Description

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

NVDpypa/pip< 1.5
PyPIpypa/pip< 1.5
NVDredhat/openshift1.0, 2.0+1

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 20, 21

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
Improper Authentication in pip2022-05-24
OSV
Improper Authentication in pip2022-05-24
OSV
CVE-2013-5123: The mirroring support (-M, --use-mirrors) in Python Pip before 12019-11-05
CVEList
CVE-2013-5123: The mirroring support (-M, --use-mirrors) in Python Pip before 12019-11-05

💥Exploits & PoCs

1
Exploit-DB
phlyLabs phlyMail Lite 4.03.04 - 'go' Open Redirect2013-01-13

📋Vendor Advisories

2
Red Hat
python-pip: insecure software download with mirroring support2013-07-31
Debian
CVE-2013-5123: python-pip - The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure...2013

💬Community

5
Bugzilla
CVE-2013-5123 python-pip: insecure software download with mirroring support [fedora-all]2014-11-04
Bugzilla
CVE-2013-5123 python-pip: insecure software download with mirroring support [epel-all]2014-11-04
Bugzilla
CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [fedora-all]2014-11-04
Bugzilla
CVE-2013-5123 python-virtualenv: python-pip: insecure software download with mirroring support [epel-all]2014-11-04
Bugzilla
CVE-2013-5123 python-pip: insecure software download with mirroring support2014-02-18
CVE-2013-5123 — Improper Authentication in Pypa PIP | cvebase