{"id":"PYSEC-2013-10","details":"pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.","aliases":["CVE-2013-1630","GHSA-f594-f3v3-g649"],"modified":"2024-04-30T15:11:51.575998Z","published":"2013-08-06T02:52:00Z","references":[{"type":"WEB","url":"http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/"},{"type":"WEB","url":"https://github.com/mardiros/pyshop/blob/master/CHANGES.txt"},{"type":"FIX","url":"https://github.com/mardiros/pyshop/commit/ffadb0bcdef1e385884571670210cfd6ba351784"}],"affected":[{"package":{"name":"pyshop","ecosystem":"PyPI","purl":"pkg:pypi/pyshop"},"ranges":[{"type":"GIT","repo":"https://github.com/mardiros/pyshop","events":[{"introduced":"0"},{"fixed":"ffadb0bcdef1e385884571670210cfd6ba351784"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7.1"}]}],"versions":["0.1","0.2","0.3","0.4","0.5","0.6","0.7"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyshop/PYSEC-2013-10.yaml"}}],"schema_version":"1.7.3"}