Lucene search

GoogleOSV:GHSA-G3P5-FJJ9-H8GJ

HistoryMay 13, 2022 - 1:11 a.m.

Improper Input Validation in pip

2022-05-1301:11:25

Google

osv.dev

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

54.5%

JSON

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a “pip install” operation.

CPENameOperatorVersion
pipeq0.8.1
pipeq1.2.1
pipeq0.4
pipeq0.3
pipeq0.6.3
pipeq0.7
pipeq1.2
pipeq0.7.2
pipeq0.6
pipeq0.5

Name	Operator	Version
pip	eq	0.8.1
pip	eq	1.2.1
pip	eq	0.4
pip	eq	0.3
pip	eq	0.6.3
pip	eq	0.7
pip	eq	1.2
pip	eq	0.7.2
pip	eq	0.6
pip	eq	0.5

Rows per page:

1-10 of 241

References

www.pip-installer.org/en/latest/installing.html

www.pip-installer.org/en/latest/news.html#changelog

www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a

bugzilla.redhat.com/show_bug.cgi?id=968059

github.com/advisories/GHSA-g3p5-fjj9-h8gj

github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-8.yaml

github.com/pypa/pip/issues/425

github.com/pypa/pip/pull/791/files

nvd.nist.gov/vuln/detail/CVE-2013-1629

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

54.5%

JSON

Related for OSV:GHSA-G3P5-FJJ9-H8GJ