Lucene search

GitHub Advisory DatabaseGHSA-F594-F3V3-G649

HistoryMay 17, 2022 - 5:03 a.m.

pyshop vulnerable to man-in-the-middle attacks due to using HTTP to retrieve packages from the PyPI repository

2022-05-1705:03:06

CWE-20

GitHub Advisory Database

github.com

pyshop

man-in-the-middle

http

pypi

integrity checks

arbitrary code

download operation

software

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

7.6

Confidence

High

EPSS

0.007

Percentile

80.1%

JSON

pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.

Affected configurations

Vulners

Node

pyshopRange<0.7.1

VendorProductVersionCPE
*pyshop*cpe:2.3:a:*:pyshop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	pyshop	*	cpe:2.3:a::pyshop::::::::*

References

www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a

github.com/advisories/GHSA-f594-f3v3-g649

github.com/mardiros/pyshop/blob/master/CHANGES.txt

github.com/mardiros/pyshop/commit/ffadb0bcdef1e385884571670210cfd6ba351784

nvd.nist.gov/vuln/detail/CVE-2013-1630

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

7.6

Confidence

High

EPSS

0.007

Percentile

80.1%

JSON

Related for GHSA-F594-F3V3-G649