CVE-2013-1633 — Setuptools vulnerable to Man-in-the-middle attacks

Description

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.

How to fix CVE-2013-1633

To remediate CVE-2013-1633, upgrade the affected package to a fixed version below.

—upgrade to 0.7 or later
—upgrade to 0.7 or later

Is CVE-2013-1633 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.7
from 0, < 0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.3	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References (7)

ADVISORYgithub.com/advisories/GHSA-27x4-j476-jp5f
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1633
PATCHgithub.com/pypa/setuptools
WEBgithub.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2013-22.yaml
WEB