CVE-2013-1629: Improper Input Validation in pip

May 13, 2022 (updated October 9, 2024)

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a “pip install” operation.

References

bugzilla.redhat.com/show_bug.cgi?id=968059
github.com/advisories/GHSA-g3p5-fjj9-h8gj
github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2013-8.yaml
github.com/pypa/pip
github.com/pypa/pip/issues/425
github.com/pypa/pip/pull/791/files
nvd.nist.gov/vuln/detail/CVE-2013-1629

Detect and mitigate CVE-2013-1629 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →