Vulnerability CVE-2013-1633

Vulnerability Name:

CVE-2013-1633 (CCN-86299)

Assigned:

2013-02-06

Published:

2013-02-06

Updated:

2013-10-11

Summary:

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-1633

Source: CCN
Type: reddit Web site
Warning: don't use pip in an untrusted network! a practical man-in-the-middle attack on pip

Source: MISC
Type: UNKNOWN
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/

Source: CCN
Type: BID-61827
Python 'setuptools' Man in The Middle Vulnerability

Source: XF
Type: UNKNOWN
easyinstall-cve20131633-code-exec(86299)

Source: CCN
Type: PyPI Python Web site
PyPI - the Python Package Index : Python Package Index

Source: CONFIRM
Type: Vendor Advisory
https://pypi.python.org/pypi/setuptools/0.9.8#changes

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-1633

Vulnerable Configuration:

Configuration 1:

cpe:/a:python:setuptools:0.6.40:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.41:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.42:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.43:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.44:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.45:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.46:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.47:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.48:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:0.6.49:*:*:*:*:*:*:*

OR cpe:/a:python:setuptools:*:*:*:*:*:*:*:* (Version <= 0.7b4)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:26175	P	Security update for xen (Moderate)	2021-12-01
oval:org.opensuse.security:def:20131633	V	CVE-2013-1633	2021-10-13
oval:org.opensuse.security:def:55943	P	Security update for bind (Moderate)	2021-08-30
oval:org.opensuse.security:def:56055	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:26100	P	Security update for djvulibre (Important)	2021-08-05
oval:org.opensuse.security:def:57486	P	Security update for djvulibre (Important)	2021-08-05
oval:org.opensuse.security:def:26099	P	Security update for libsndfile (Critical)	2021-08-05
oval:org.opensuse.security:def:36550	P	python-setuptools-0.6c11-5.2.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:55186	P	Security update for djvulibre (Important)	2021-05-19
oval:org.opensuse.security:def:56017	P	Security update for the Linux Kernel (Important)	2021-05-17
oval:org.opensuse.security:def:55851	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:55292	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:26111	P	Security update for cups (Moderate)	2021-02-02
oval:org.opensuse.security:def:54775	P	Security update for MozillaFirefox (Important)	2021-01-12
oval:org.opensuse.security:def:27577	P	vte-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28106	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:54635	P	mutt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26729	P	krb5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26848	P	yast2-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27871	P	Security update for python-setuptools	2020-12-01
oval:org.opensuse.security:def:27659	P	Security update for rubygem-rack	2020-12-01
oval:org.opensuse.security:def:28150	P	Security update for jpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:26778	P	logrotate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26422	P	Security update for Chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26999	P	openCryptoki on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27716	P	Security update for ctdb	2020-12-01
oval:org.opensuse.security:def:28788	P	Security update for mutt	2020-12-01
oval:org.opensuse.security:def:55013	P	squashfs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26817	P	rsync on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26423	P	Security update for opencv (Important)	2020-12-01
oval:org.opensuse.security:def:27052	P	w3m on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27800	P	Security update for libmspack (Moderate)	2020-12-01
oval:org.opensuse.security:def:28823	P	Security update for python-setuptools	2020-12-01
oval:org.opensuse.security:def:56136	P	Security update for poppler (Moderate)	2020-12-01
oval:org.opensuse.security:def:26303	P	Security update for dnsmasq (Moderate)	2020-12-01
oval:org.opensuse.security:def:26831	P	tar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26434	P	Security update for pdns (Important)	2020-12-01
oval:org.opensuse.security:def:27101	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27373	P	avahi-compat-howl-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27951	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:57412	P	Security update for lzo	2020-12-01
oval:org.opensuse.security:def:26384	P	Security update for chromium (Moderate)	2020-12-01
oval:org.opensuse.security:def:26875	P	coolkey on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26498	P	Security update for nextcloud (Moderate)	2020-12-01
oval:org.opensuse.security:def:27140	P	gstreamer-0_10-plugins-base on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27374	P	bind-devel-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28004	P	Security update for Xerces-c (Moderate)	2020-12-01
oval:org.opensuse.security:def:55458	P	Security update for xen (Moderate)	2020-12-01
oval:org.opensuse.security:def:26441	P	Security update for phpMyAdmin (Moderate)	2020-12-01
oval:org.opensuse.security:def:27513	P	lzo-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26626	P	pam_mount on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27154	P	kbd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27385	P	cvs-doc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28053	P	Security update for cvs (Moderate)	2020-12-01
oval:org.opensuse.security:def:54612	P	libtag1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55743	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:26525	P	avahi on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27548	P	python-setuptools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26707	P	glib2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27198	P	libmysql55client18-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27449	P	libgnutls-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28092	P	Security update for ghostscript-library (Moderate)	2020-12-01
oval:org.opensuse.security:def:54613	P	libtasn1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26676	P	cifs-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26764	P	librpcsecgss on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27836	P	Security update for mozilla-nspr (Moderate)	2020-12-01
oval:org.mitre.oval:def:24678	P	SUSE-SU-2014:0523-1 -- Security update for python-setuptools	2014-09-08
oval:org.opensuse.security:def:80120	P	Security update for python-setuptools	2014-04-09
oval:com.ubuntu.precise:def:20131633000	V	CVE-2013-1633 on Ubuntu 12.04 LTS (precise) - low.	2013-08-05

BACK